Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Security)  >   Websense Vendors:   Websense
Websense 'Via:' Header Lets Remote Users Bypass Filtering and Monitoring
SecurityTracker Alert ID:  1024048
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Jun 6 2010
Original Entry Date:  Jun 1 2010
Impact:   Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 6.3.3
Description:   A vulnerability was reported in Websense. A remote user can bypass web filtering and monitoring.

A remote user can supply a specially crafted 'Via:' header to, in conjunction with a downstream proxy, cause Websense to fail to filter and log the request and response.

Websense is affected when used in a Microsoft ISA Server 2004 or 2006 environment.

Websense version 7.x is reportedly not affected.

The vendor was notified on October 9, 2009.

mrhinkydink reported this vulnerability.

Impact:   A remote user can bypass web filtering and monitoring.
Solution:   The vendor has issued a fix.

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Red Hat Enterprise), Linux (Red Hat Fedora), UNIX (Solaris - SunOS), Windows (2000), Windows (2003)

Message History:   None.

 Source Message Contents

Subject:  [Full-disclosure] Websense Enterprise 6.3.3 Policy Bypass

discovered by mrhinkydink

PRODUCT: Websense Enterprise v6.3.3

EXPOSURE: Trivial Web Policy Bypass


By adding a "Via:" header to an HTTP request it is possible for a user
to completely bypass filtering and monitoring in a Websense Enterprise
6.3.3/Microsoft ISA Server (2004 or 2006) proxy integration environment.


The following works in a Websense 6.3.3 Enterprise system using the ISA
Server integration product and transparent authentication. It is assumed
it will work with other proxy integration products, but this has not
been tested.

I. Install Firefox >= 3.5

II. Obtain and install the Modify Headers plug-in by Gareth Hunt

III. Configure the plug-in to add a valid "Via:" header to every request

Example: "Via: 1.1 VIAPROXY"

IV. Browse to a filtered Web site

V. All content is allowed without monitoring



The Modify Headers plug-in does not work with SSL. However, in practice
a user could browse to a so-called (by Websense) "Proxy Avoidance" Web
site and use the SSL capabilities of the remote proxy.


Properly configured, a downstream SQUID proxy can send requests to the
upstream ISA server and all requests will pass through without blocking
or monitoring. No evidence of activity will be logged by Websense. This
was in fact how this vulnerability was originally discovered.
Considering the simplicity of the attack, the author suspects this
bypass technique is already well-known in certain circles.

Also, it is trivial to modify proxy-enabled Linux utilities to leverage
this bypass. The author has recompiled (that is, HACKED) OpenVPN,
connect-proxy, PuTTY, stunnel, and others to take advantage of this
policy bypass.

Obviously, the risk of undetected (by Websense, at least) covert tunnels
is high in a vulnerable installation of this product.

Linux platforms using this method in this specific environment will also
enjoy bypassing Websense's transparent authentication requirement.


For this specific installation scenario (Websense 6.3.3 + ISA 2004/6 +
transparent authentication), none are known. The following may work:

* Use Windows Integrated Authentication on the ISA Server

* Upgrade to Websense 7.x

* Do not use a proxy integration product


10/09/2009 - vendor notified

05/29/2010 - PoC published


c. MMX mrhinkydink

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC