Mr. HinkyDink would like to share the following with the Security Community...

---------- Forwarded message ----------
From:  <dink@mrhinkydink.com>
Date: Dec 12, 2007 6:05 PM
Subject: Websense 6.3.1 Filtering Bypass
To: thesecuritycommunity@gmail.com



Please share this with your little friends...

------------------------------------------

Websense Policy Filtering Bypass
================================
discovered by mrhinkydink


PRODUCT: Websense Enterprise 6.3.1

EXPOSURE: Web Filtering Bypass

SYNOPSIS
========

By spoofing the User-Agent header it is possible to bypass filtering and,
to a lesser extent, monitoring in a Websense Enterprise 6.3.1 environment.

PROOF OF CONCEPT
================

The following was tested in an unpatched 6.3.1 system using the ISA Server
integration product.  It is assumed it will work with other integration
products but this has not been tested.  Other User Agents may also work.

I.  Install FireFox 2.0.x

II. Obtain and install the User Agent Switcher browser plug-in  by Chris
    Pederick

III. Add the following User Agents to the plug-in

     Description: RealPlayer
     User Agent : RealPlayer G2

     Description: MSN Messenger
     User Agent : MSMSGS

     Description: WebEx
     User Agent : StoneHttpAgent

IV.  Change FireFox's User Agent to any one of the preceding values

V.   Browse to a filtered Web site

VI.  Content is allowed

Content browsed via this method will be recorded in the Websense database
as being in the "Non-HTTP" category.

Demonstration: http://www.youtube.com/watch?v=pKv41ge8XcQ

SEE ALSO
========
Websense KnowledgeBase article #976

The vendor acknowledges this behavior in the aforementioned article.

WORKAROUND
==========
Disable the protocols mentioned above.

VENDOR RESPONSE
===============
Websense has repaired this issue in database #92938

NOTICE
======
mrhinkydink is not to be confused with the blogger by the same name
at www.dailykos.com

c. MMVII mrhinkydink