An application-side input validation web vulnerability has been discovered in the official GTA Web Firewall appliance - GB OS v6.2.02. The vulnerability allows a local attackers to inject own malicious script codes on the application-side of the affected modules context.
The security vulnerability is located in the
Edit Packet Capture Filter function of the
Monitor - Packet Capture - [Monitor - Tools - Packet Capture] module.
Remote attackers are able to inject script codes to the description input field by adding a new packet capture filter in the web firewall interface. The injection
point is the
Edit Packet Capture Filter - Description Input Field and the execution point is the
Packet Capture item listing. The attack vector is persistent
(application-side) and the request method to inject is POST.
The web firewall interface has an own validation procedure to filter bad inputs. The input validation of the description can be bypassed by injection of a splitted char injection. The attacker can inject two payloads and the first is filtered, the second bypasses the validation.
The security risk of the application-side validation web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.0. Exploitation of the persistent input validation web vulnerability requires a privileged admin appliance web-application user account and low user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected or connected application modules.
Request Method(s): [+] POST
Vulnerable Service(s): [+] GB OS v6.2.02
Vulnerable Module(s): [+] Packet Capture - [Monitor - Tools - Packet Capture]
Vulnerable Input(s): [+] Edit Packet Capture Filter - [Description]
Vulnerable Parameter(s): [+] description - listtextplain
Affected Module(s): [+] Packet Capture Item Listing