WatchGuard XTM 11.8 Cross Site Scripting

`I. VULNERABILITY  
  
-------------------------  
  
Reflected XSS Attacks vulnerabilities in WatchGuard XTM 11.8  
  
  
  
  
II. BACKGROUND  
  
-------------------------  
  
WatchGuard builds affordable, all-in-one network and content security  
solutions to provide defense in depth for corporate content, networks and  
the businesses they power.  
  
III. DESCRIPTION  
  
-------------------------  
  
Has been detected a Reflected XSS vulnerability in XTM WatchGuard.  
  
The code injection is done through the parameter "poll_name" in the  
page "/firewall/policy?pol_name=(HERE XSS)"  
  
  
  
IV. PROOF OF CONCEPT  
  
-------------------------  
  
The application does not validate the parameter "poll_name" correctly.  
  
https://10.200.210.100:8080/firewall/policy?pol_name=qqq"><body  
onload=alert(document.cookie)>&service=Any&is_new=1  
  
  
  
V. BUSINESS IMPACT  
  
-------------------------  
  
An attacker can execute arbitrary HTML or script code in a targeted  
  
user's browser, that allows the execution of arbitrary HTML/script  
code to be executed in the context of the victim user's browser  
allowing Cookie Theft/Session Hijacking, thus enabling full access the  
box.  
  
  
  
VI. SYSTEMS AFFECTED  
  
-------------------------  
  
Tested WatchGuard XTM Version: 11.8 (Build 432340)  
  
  
  
  
  
VII. SOLUTION  
-------------------------  
  
All data received by the application and can be modified by the user,  
  
before making any kind of transaction with them must be validated  
  
  
VIII. References  
-------------------------  
http://www.kb.cert.org/vuls/id/807134  
http://watchguardsecuritycenter.com/2014/03/13/fireware-xtm-11-8-3-update-corrects-xss-flaw/  
  
  
By William Costa  
  
[email protected]  
`