03-02-04 XSS Bug in NetScreen-SA 5000 Series of SSL VPN appliance
TITLE: 03-02-04 XSS Bug in NetScreen-SA 5000 Series of SSL VPN
appliance
SUMMARY
Cross Site Scripting bug in the 'delhomepage.cgi' CGI binary in the
NetScreen-SA 5000 Series SSL VPN appliance.
DETAILS
There exists a cross-site scripting bug in 'row' parameter of the
'delhomepage.cgi' CGI binary. This bug was discovered on an appliance
known as an "A5030-Clustered pair" running firmware version 3.3 Patch
1
(build 4797). The vulnerability may exist in other versions. This
issue
may result in the theft of credentials such as session cookies, allow
hostile client-side scripts to run with unintended access privileges,
or
provide a means for a "phishing" attack. For more detailed
descriptions
of Cross Site Scripting and its implications, please refer to
whitepapers
such as:
http://www.cgisecurity.com/articles/xss-faq.shtml
http://www.spidynamics.com/whitepapers/SPIcross-sitescripting.pdf
The 'delhomepage.cgi' is accessible only by authenticated users.
WORKAROUND
Upgrade to the patched version of IVE software. Contact Netscreen
support
for details.
ORIGINATOR
The issue was discovered by Mark Lachniet of Analysts International
[lachniet -=at=- analysts.com] during a security analysis of the web
application interface of the device. Analysts International's
security
team provides a variety of security services and can be reached at
[SecurityServices -=at=- analysts.com].
MAINTAINER
The maintainer of the Netscreen IVE SSL VPN Appliance is the Netscreen
Corporation [http://www.netscreen.com]. The following information
about
security at Netscreen is taken from the Security Center web page at:
http://www.netscreen.com/services/security/index.jsp
"Please report any potential or real instances of a security
vulnerability
(with any NetScreen product or service) to the NetScreen Security
Alert
Team at security@xxxxxxxxxxxxx . For immediate assistance, TAC isd
Available 24 hours a day by calling 1-877-NETSCREEN."
VENDOR RESPONSE
In the opinion of the author, the Netscreen corporation responded
quickly
and efficiently to this issue, and clearly takes the security of their
products seriously. Netscreen should be commended for their prompt
and
professional handling of the issue.
DATE OF CONTACT
2/6/2004 - Sent E-Mail to Sriram Ramachandran [SRamachandran -=at=-
netscreen.com] and received response. Immediately discussed
issue via. conference call. The bug was confirmed by the
Netscreen staff.
2/7/2004 - Draft advisory sent to Netscreen support staff
2/9/2004 - Ongoing dialog with Netscreen on issue
2/11/2004 - Ongoing dialog with Netscreen on issue
2/18/2004 - Ongoing dialog with Netscreen on issue
2/23/2004 - Ongoing dialog with Netscreen on issue
2/25/2004 - Advisory updated based on vendor response
3/02/2004 - Final advisory released