Websense Reporting Cross Site Scripting

2015-03-19T00:00:00
ID PACKETSTORM:130905
Type packetstorm
Reporter Han Sahin
Modified 2015-03-19T00:00:00

Description

                                        
                                            `------------------------------------------------------------------------  
Multiple Cross-Site Scripting vulnerabilities in Websense Reporting  
------------------------------------------------------------------------  
Han Sahin, September 2014  
  
------------------------------------------------------------------------  
Abstract  
------------------------------------------------------------------------  
It has been found that Websense Reporting is affected by multiple  
Cross-Site Scripting issues. Cross-Site Scripting allows an attacker to  
perform a wide variety of actions, such as stealing the victim's session  
token or login credentials, performing arbitrary actions on the victim's  
behalf, and logging their keystrokes.  
  
------------------------------------------------------------------------  
Tested versions  
------------------------------------------------------------------------  
This issue was discovered on Websense Triton v7.8.3 and Websense  
appliance modules V-Series v7.7. Other versions may be affected as well.  
  
------------------------------------------------------------------------  
Fix  
------------------------------------------------------------------------  
Websense released hotfix 02 for Websense Triton v7.8.4 in which this  
issue is fixed. More information about this hotfix can be found at the  
following location:  
http://www.websense.com/support/article/kbarticle/v7-8-4-About-Hotfix-02-for-Web-Security-Solutions  
  
This issue is resolved in TRITON APX Version 8.0. More information about  
the fixed can be found at the following location:  
http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0  
  
------------------------------------------------------------------------  
Details  
------------------------------------------------------------------------  
https://www.securify.nl/advisory/SFY20140914/multiple_cross_site_scripting_vulnerabilities_in_websense_reporting.html  
  
One example of a vulnerable request parameter is the col. Its value is copied into the value of an HTML tag attribute; encapsulated in double quotation marks. The value echoed unmodified (without output encoding) in the application's response. This vulnerability can be reproduced using the following steps:  
  
- login into Admin GUI;  
- open the proof of concept below;  
- hover over 'Risk Class' in left corner.  
  
https://<target>:9443/explorer_wse/explorer_anon.exe?col=a86de%27onmouseover%3d%27alert%28document.cookie%29%27de90f&delAdmin=0&startDate=2014-07-31&endDate=2014-08-01  
  
An attacker must trick victims into opening the attacker's specially crafted link. This is for example possible by sending a victim a link in an email or instant message. Once a victim opens the specially crafted link, arbitrary client-side scripting code will be executed in the victim's browser. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session tokens or login credentials, performing arbitrary actions on their behalf, logging their keystrokes.  
`