Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY LINKS NEWS MAN DOCUMENTATION

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Date: 18 Dec 2003 10:30:16 -0000
From: Jamie Fisher <contact_jamie_fisher@yahoo.co.uk.>
To: bugtraq@securityfocus.com
Subject: CyberGuard proxy / firewall XSS



Overview:



Vendor : CyberGuard

URL    : <A HREF="http://www.cyberguard.com">http://www.cyberguard.com<;/A>

Version: 5.1 - Other versions have not been not tested

Issue  : Cross Site Script

Impact : Low - Medium



Description:



<A HREF="http://www.cyberguard.com/solutions/product_overview.cfm">Overview of product</A>



Problem:



By issuing a GET request for an invalid Internet domain name <A HREF="http://domain.tld">http://domain.tld<;/A> through the CyberGuard proxy from an internal network to the Internet, it is possible to append a basic syntax for a Cross Site Script...



For instance: <A HREF="http://domain.tld<script>alert('test')</script>">Click here</A>.



Variants have been tested and it is possible to also include images on the error page.



For instance: it is possible to specify an image with the &lt;img src&gt; tag while also specifying a Cross Site Script - in the same address &lt;script&gt;alert('test')&lt;/script&gt;



Should you be 'vulnerable' to the CyberGuard proxy / firewall CSS then you should see a similar page or a variant depending on the configuaration.



As http (through the GUI) can be used as a mechanism whereby access to the the logs can be viewed, it may be possible for a miscreant to, through the usual obfuscation methods (encoding types) trick an administrator of the CyberGuard proxy / firewall into clicking on a Cross Site Script to gain privileged user credentials by specifying the (document.cookie) with a refer to a file where the user credentials can be collected for the purpose of executing by loading the credentials into the Achilies (or simila
r) proxy.



Note: this method of attack is yet untested.



Possible Solution:



Input validation of code executed on the CyberGuard proxy / firewall.

Configure the Cyberguard proxy / firewall so that management access can only be accessed via SSH.



Solution:



See Vendor for solution.



Vendor Notification:



Yes



Credit:



Everyone doing IT Security

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Партнёры:

Хостинг: