Bloxx Web Filtering contains multiple XSS, CSRF, and authentication bypass vulnerabilities.
According to Bloxx's website, Bloxx Web Filtering is a real-time Web content filter which performs live analysis and real-time categorization of Web pages to dramatically improve protection and security. Bloxx Web Filtering software contains multiple XSS, CSRF, and authentication bypass vulnerabilities which could allow an attacker to run arbitrary code.
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVE-2012-2563:
(1) The Bloxx Reports are vulnerable to Persistent XSS. A malicious user, who's web traffic is being filtered by the Bloxx Web Filtering could inject persistent malicious code into the Bloxx Reports. When a Bloxx administrator views reports in the administrative interface that contains the entry, the malicious code will execute. A malicious user could use this to gain administrative access to the Bloxx administrator interface or execute arbitrary code on an administrative user.
<http://localhost/?test=>``<script>alert("XSS");</script> (2) The following menu functions in the Bloxx administrative interface are reported to be vulnerable to Persistent XSS. A malicious lower level administrator that has access to one of these functions could inject malicious code targeting a higher level administrator to escalate privileges or execute arbitrary code. Reported menu functions affected:
* Administrators -> Administrators: Full Name field
* Filtering & Protection -> Categories: Name and Description fields
* Identification -> Identify: Name field
* Users & Groups -> Users: Username field
* Users & Groups -> Groups: Name and Description fields
* Filtering Policies: Name and Description fields
* Proxy & Cache -> Redirection: Original URL and Redirection fields
* Administrators -> Audit Trail: XSS that is injected in the Redirection function will render here and execute
* Alerts -> Email: Destination field
* Appliance Customization -> Access Denied Page: Name field
* Appliance Customization -> Login Page: Name field
* Appliance Customization -> Logout Denied Page: Name field
CWE-352: Cross-Site Request Forgery (CSRF) CVE-2012-2564:
(3) It has been reported that all the functions on the Bloxx administrative interface are vulnerable to CSRF. A malicious user could craft a specialized web page and force a Bloxx administrator to execute unwanted actions on the Bloxx administrative interface in which they are currently authenticated. It is not required that the Bloxx administrator have a window open to the administrative interface. If the Bloxx administrator did not use the "Log out" link, even closing the browser window could still leave the session open. (4) The Bloxx Web Filtering device uses Microdasys for SSL interception. When a user tries to use HTTPS to connect to a site that does not support HTTPS, a Microdasys SSL error page is displayed to the user. This error page is vulnerable to a reflected XSS attack. A malicious user can send a crafted HTTPS URL for a site that does not support HTTPS that contains malicious code to a victim. When the victim tries to connect to the crafted URL, the Microdasys engine will try to connect over HTTPS to the URL. The connection will fail since the target site does not support HTTPS and the Microdasys SSL error page will be presented to the user which includes the unsanitized URL.
CWE-257: Storing Passwords in a Recoverable Format CVE-2012-2565:
(5) The Bloxx administrative interface has a function to backup the current configuration and save it to a file. The file that is saved includes all the configuration information of the Bloxx device including the administrator user credentials. The user information includes the username, administrative level, email address, and a SHA-1 hash of the password. If a malicious lower level administrator has access to the backup functionality or a malicious user has access to the backup file, they could extract the SHA-1 hashes to be cracked. No salt is implemented so the hashes can be cracked against a rainbow table. If a malicious lower level administrator also has rights to
restore a backup file, they could replace the password of a higher level administrator account with a hash with their own.
CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax CVE-2012-2566:
(6) An unauthenticated user can bypass the IP restriction and falsify the logs for HTTPS sites by inserting the X-Forwarded-For HTTP header with the value of an authorized IP address. A malicious user could also connect via HTTPS to a site that does not support HTTPS with the X-Forwarded-For header and the entry in the Bloxx logs will record it as a connection to a HTTP site. For example, a malicious user could direct requests to non-approved websites, such as <https://www.website.com>, and the Bloxx logs will reflect that the victim has visited <http://www.website.com> and other adult websites.
The CVSS score below applies to CVE-2012-2564.
An attacker with access to the Bloxx Web Filtering management web interface can conduct a cross-site scripting or cross-site request forgery attack, which could be used to result in information leakage, privilege escalation, and/or denial of service. An attacker with access to the Bloxx backup configuration files could recover the password hashes of the administrator account or possibly change the administrator account password.
The vendor has stated that these vulnerabilities have been addressed in Bloxx Web Filtering 5.0.14. The Microdasys SSL issues have been addressed in Microdasys 3.5.1-B708 (or above) is now is installed by default for Bloxx Web Filtering 5.0.14 and above. The vendor is advising user to update to Bloxx Web Filtering 5.0.14 and above.
As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS or CSRF attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing the Bloxx Web Filtering management web interface using stolen credentials from a blocked network location.
Vendor| Status| Date Notified| Date Updated
Bloxx Ltd| | 07 Feb 2012| 30 May 2012
If you are a vendor and your product is affected, let us know.
Group | Score | Vector
Base | 6.8 | AV:N/AC:M/Au:N/C:P/I:P/A:P
Temporal | 5.6 | E:F/RL:OF/RC:C
Environmental | 1.4 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND
Thanks to Travis Lee for reporting this vulnerability.
This document was written by Michael Orlando.