[Full-Disclosure] Symantec Gateway Security Management Service Cross Site Scripting

2004-02-27T00:00:00
ID SECURITYVULNS:DOC:5838
Type securityvulns
Reporter Securityvulns
Modified 2004-02-27T00:00:00

Description

Symantec Gateway Security Management Service Cross Site Scripting

Product: Symantec Gateway Security 2.0 Date: 02/25/2004 Author: Brian Soby, Raytheon

1. Overview

A cross site scripting vulnerability exists in Symantec Gateway Security's management service which could allow an attacker to hijack a management session to the device.

2. Vulnerability Description

A vulnerability exists in the Symantec Gateway Security management server object's handling of URLs when including them in error pages displayed to the requesting client. No parsing is done to the URLs to ensure that HTML tags are not included and returned to the client.

3. Conditions

The URL requested by the client must be handled by the Symantec Gateway Security's custom server object. For example, any request for an object under the /sgmi directory is passed to the Symantec Gateway Security server object for processing. The attacker could present a URL in the form of https://FirewallHostname:2456/sgmi/<script>badscript</script> to the client. SGS would display the URL back to the client, usually in a 404 page or other error page, causing the execution of the script "badscript" in the context of the SGS device.

4. Impact

Malicious script can be executed in the context of a trusted device, authentication cookies can be stolen (including JSESSIONID cookie used to authenticate a management session), etc. Because no access control policy restricts the access to the management service by default, an attacker who is able to obtain the JSESSIONID cookie for a valid session could connect from an untrusted network and assume management rights of the device.

5. Solution

Symantec has released a patch that addresses this issue. It is available at http://www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sym_gw_security_2_5400/files.html under hotfix ID SG8000-20040130-00. This problem is described in the hotfix readme as a fix that "Changes the return page when management URL is requested incorrectly"

6. Disclaimer

The information in this advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties, expressed or implied, with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with this information.

7. Copyright

Copyright (c) 2004 Raytheon. Permission is hereby granted to redistribute this alert electronically, provided it is left whole and not modified in any way.