It's a patch to the protocol signature database, happens nightly.
From: reepex [mailto:[EMAIL PROTECTED] Sent: Thursday, December 13, 2007 10:46 AM To: Hubbard, Dan; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Fwd: Websense 6.3.1 Filtering Bypass automatic updates with notification? Silent patching? Microsoft tactics? I also knew websense was a joke but now you have come to this? On Dec 13, 2007 8:49 AM, Hubbard, Dan < [EMAIL PROTECTED]> wrote: An added note on this... Customers do not need to download nor install any new patch for this fix. It was automatically updated and installed with our nightly protocol signature updates. -----Original Message----- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] On Behalf Of The Security Community Sent: Wednesday, December 12, 2007 3:32 PM To: [EMAIL PROTECTED]; Full-Disclosure Subject: [Full-disclosure] Fwd: Websense 6.3.1 Filtering Bypass Mr. HinkyDink would like to share the following with the Security Community... ---------- Forwarded message ---------- From: < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > Date: Dec 12, 2007 6:05 PM Subject: Websense 6.3.1 Filtering Bypass To: [EMAIL PROTECTED] Please share this with your little friends... ------------------------------------------ Websense Policy Filtering Bypass ================================ discovered by mrhinkydink PRODUCT: Websense Enterprise 6.3.1 EXPOSURE: Web Filtering Bypass SYNOPSIS ======== By spoofing the User-Agent header it is possible to bypass filtering and, to a lesser extent, monitoring in a Websense Enterprise 6.3.1 environment. PROOF OF CONCEPT ================ The following was tested in an unpatched 6.3.1 system using the ISA Server integration product. It is assumed it will work with other integration products but this has not been tested. Other User Agents may also work. I. Install FireFox 2.0.x II. Obtain and install the User Agent Switcher browser plug-in by Chris Pederick III. Add the following User Agents to the plug-in Description: RealPlayer User Agent : RealPlayer G2 Description: MSN Messenger User Agent : MSMSGS Description: WebEx User Agent : StoneHttpAgent IV. Change FireFox's User Agent to any one of the preceding values V. Browse to a filtered Web site VI. Content is allowed Content browsed via this method will be recorded in the Websense database as being in the "Non-HTTP" category. Demonstration: http://www.youtube.com/watch?v=pKv41ge8XcQ SEE ALSO ======== Websense KnowledgeBase article #976 The vendor acknowledges this behavior in the aforementioned article. WORKAROUND ========== Disable the protocols mentioned above. VENDOR RESPONSE =============== Websense has repaired this issue in database #92938 NOTICE ====== mrhinkydink is not to be confused with the blogger by the same name at www.dailykos.com c. MMVII mrhinkydink _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Protected by Websense Messaging Security ? www.websense.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Click here <https://www.mailcontrol.com/sr/Jo+9N2kMkss75ZucUpZhRp2tihLnD5c4rWWfdAaP U9YfGN7ptLE6OsoAO+XvfwiHtEzvgPLjSZPxcw3B5Y5XDyPFvOGuUpO5Q87uxOwIFjMpxw1i utg6REZstBhj9JnKPoif2919X!Ptf6Kif6flhzLOBSUMW3t2nYXR!5Lo3JL+oiz30xcCB4E7 ak4hnJfmdA+ZQfG1SxBSBKtqujQEyHUQ!9WMdjXr> to report this email as spam.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
