Aladdin eSafe Gateway Script-filtering Bypass through HTML tags

["eDvice Security Services" <support () edvicetech com>]

29 May 2001

This is the second of 3 sequential advisories we are issuing regarding
Aladdin eSafe Gateway.

Product Background
---------------------------
eSafe Gateway is an Internet Content Security product.

You can configure eSafe Gateway to remove scripts (VBScripts, JavaScripts)
and other executable tags from incoming HTML documents. Alternatively, the
administrator can ban certain scripting commands from appearing inside
scripts. The banned commands will be removed, while the rest of the HTML
page is left intact.

Scope
---------
eDvice recently conducted a test of eSafe's ability to remove scripts from
HTML documents. Although scripts are widely used by many web-sites, some
organizations requesting to allow only limited use of Internet access from
their internal network, prefer to disable scripting capabilities in order to
avoid various known, as well as yet to be found, browser-based attacks.

The Findings
------------------
eSafe ignores scripting language commands embedded inside HTML tags. This
allows an attacker to bypass eSafe's script filtering mechanism.

Details
----------
HTML specification allows embedding of scripting language commands in
various tags, such as <BODY>, <BUTTON>, <INPUT> and so on. The scripting
commands can be included as an attribute of the tag, and executed under
various conditions. For example, commands included within the ONLOAD
attribute of the <BODY> tag are automatically executed when the page is
loaded into the browser.
eSafe completely ignores such scripting commands, allowing an attacker to
bypass its script filtering mechanism and introducing malicious code into an
organization. For example, the following potentially harmful script will go
undetected by eSafe, even if the "remove all scripts" option is enabled:


<A HREF="javascript:var fso = new
ActiveXObject('Scripting.FileSystemObject');var a =
fso.CreateTextFile('c:\\testfile2.txt', true);a.WriteLine('This is a
test.');a.Close();">Click here</A>

HREF is not the only tag ignored. Any tag capable of containing scripting
command will not be filtered by eSafe. For example:

<BODY onload="alert('hi');">

Status
--------
The entire content of this advisory was reviewed and acknowledged by
Aladdin.
Aladdin was informed on May 22 2001.
Aladdin claims that this issue is mentioned in the product's Release Notes.
We have downloaded the Release Notes from Aladdin's web site a month ago and
then again today.
We found no evidence to support this claim.
We called Aladdin today and asked them to send us the Release Notes.
Aladdin sent us a version of the Release Notes that regard this issue.
The release Notes (a pdf file) was produced today - 29 May 2001.

Conclusion
---------------
We find eSafe's "remove all scripts" feature has a fundamental flaw.
Organizations that wish to disable scripting altogether, are trying to
prevent hostile sites from using scripts to penetrate their systems. These
hostile sites can easily bypass eSafe by adding the code to an href tag or
any other tag. Even worse is the false sense of security given by Aladdin's
claim that all scripts are removed from the HTML files.

====================
Discovered by:
eDvice Security Services
support () edvicetech com
http://www.edvicetech.com
Tel: +972-3-6120133
Fax: +972-3-6954837