Symantec Gateway Security Management Service Cross Site Scripting
Symantec Gateway Security Management Service Cross Site Scripting
Product: Symantec Gateway Security 2.0
Date: 02/25/2004
Author: Brian Soby, Raytheon
1. Overview
----------------------------------------
A cross site scripting vulnerability exists in Symantec Gateway Security's
management service which could allow an attacker to hijack a management
session to the device.
2. Vulnerability Description
----------------------------------------
A vulnerability exists in the Symantec Gateway Security management server
object's handling of URLs when including them in error pages displayed to
the requesting client. No parsing is done to the URLs to ensure that HTML
tags are not included and returned to the client.
3. Conditions
---------------------------------------
The URL requested by the client must be handled by the Symantec Gateway
Security's custom server object. For example, any request for an object
under the /sgmi directory is passed to the Symantec Gateway Security
server object for processing. The attacker could present a URL in the form
of https://FirewallHostname:2456/sgmi/<script>badscript</script> to the
client. SGS would display the URL back to the client, usually in a 404
page or other error page, causing the execution of the script "badscript"
in the context of the SGS device.
4. Impact
--------------------------------------
Malicious script can be executed in the context of a trusted device,
authentication cookies can be stolen (including JSESSIONID cookie used to
authenticate a management session), etc. Because no access control policy
restricts the access to the management service by default, an attacker who
is able to obtain the JSESSIONID cookie for a valid session could connect
from an untrusted network and assume management rights of the device.
5. Solution
--------------------------------------
Symantec has released a patch that addresses this issue. It is available
at
http://www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sym_gw_security_2_5400/files.html
under hotfix ID SG8000-20040130-00. This problem is described in the
hotfix readme as a fix that "Changes the return page when management URL
is requested incorrectly"
6. Disclaimer
--------------------------------------
The information in this advisory is believed to be accurate at the time of
publishing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition. There
are no warranties, expressed or implied, with regard to this information.
In no event shall the author be liable for any damages whatsoever arising
out of or in connection with this information.
7. Copyright
--------------------------------------
Copyright (c) 2004 Raytheon. Permission is hereby granted to redistribute
this alert electronically, provided it is left whole and not modified in
any way.