CVE-ID

CVE-2001-1152

• Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings
Description
Baltimore Technologies WEBsweeper 4.02, when used to manage URL blacklists, allows remote attackers to bypass blacklist restrictions and connect to unauthorized web servers by modifying the requested URL, including (1) a // (double slash), (2) a /SUBDIR/.. where the desired file is in the parentdir, (3) a /./, or (4) URL-encoded characters.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
Date Entry Created
20020315 Disclaimer: The entry creation date may reflect when the CVE-ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Proposed (20020315)
Votes (Legacy)
ACCEPT(2) Baker, Foat
MODIFY(1) Frech
NOOP(4) Armstrong, Cole, Green, Wall
REJECT(1) Ziese
Comments (Legacy)
 Ziese> ACCEPT REASON: Rejection logic makes sense, products have to be used as
   intended.  Misuse is not a security vulnerability per se.
 Frech> XF:content-slash-bypass-filter(6816)
 Baker> I would say that this is a vulnerability, since their website
   touts URL filtering as a feature of the product.  If the product has to
   filter URL's then the product needs to be able to filter URL's properly,
   or the product fails.
   Here is the list of features, quoted from their product page for
   web sweeper:
   
   "Key Features
   Policy based web security implementation for information posted to and downloaded from the web
   Protects against unauthorized users accessing the web utilizing user authentication
   Provides URL filtering blocking stopping inappropriate site access
   Protects against loss of confidential information, viruses, portable code, and inappropriate content entering and
   leaving via web based e-mail accounts such as hotmail and Yahoo
   Auditing and reporting on individual and group web traffic
   Customizable "Block" and "Progress Message" pages "

Proposed (Legacy)
20020315
This is an entry on the CVE list, which standardizes names for security problems.