CyberGuard proxy / firewall XSS
Overview:
Vendor : CyberGuard
URL : <A HREF="http://www.cyberguard.com";>http://www.cyberguard.com</A>
Version: 5.1 - Other versions have not been not tested
Issue : Cross Site Script
Impact : Low - Medium
Description:
<A HREF="http://www.cyberguard.com/solutions/product_overview.cfm";>Overview of
product</A>
Problem:
By issuing a GET request for an invalid Internet domain name <A
HREF="http://domain.tld";>http://domain.tld</A> through the CyberGuard proxy
from an internal network to the Internet, it is possible to append a basic
syntax for a Cross Site Script...
For instance: <A
HREF="http://domain.tld<script>alert('test')</script>">Click
here</A>.
Variants have been tested and it is possible to also include images on the
error page.
For instance: it is possible to specify an image with the <img src> tag
while also specifying a Cross Site Script - in the same address
<script>alert('test')</script>
Should you be 'vulnerable' to the CyberGuard proxy / firewall CSS then you
should see a similar page or a variant depending on the configuaration.
As http (through the GUI) can be used as a mechanism whereby access to the the
logs can be viewed, it may be possible for a miscreant to, through the usual
obfuscation methods (encoding types) trick an administrator of the CyberGuard
proxy / firewall into clicking on a Cross Site Script to gain privileged user
credentials by specifying the (document.cookie) with a refer to a file where
the user credentials can be collected for the purpose of executing by loading
the credentials into the Achilies (or similar) proxy.
Note: this method of attack is yet untested.
Possible Solution:
Input validation of code executed on the CyberGuard proxy / firewall.
Configure the Cyberguard proxy / firewall so that management access can only be
accessed via SSH.
Solution:
See Vendor for solution.
Vendor Notification:
Yes
Credit:
Everyone doing IT Security