lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 5 Dec 2003 16:52:54 -0500
From: "Mr. P.Taylor" <petert@...gine-sw.com>
To: "Greg Meehan" <GMeehan@...eTimeFitness.com>
Cc: <bugtraq@...urityfocus.com>
Subject: RE: Websense Blocked Sites XSS


Greg,
Actually that parameter is $*WS_URL*$ within the "block.html"
page/frame refered to by the "master.html" page.

But that's besides the point that no content filtering is
being performed. I'm hoping my responses to 3APA3A's queries
have been posted by now as many ppl run the software configured
per the DIRECTIONS in the MANUAL, which will allow the software
to be used as one of the stepping stones in compromising an
internal users system.

Peter Taylor CSO
Imagine Software Inc.

"There is a principle which is a bar against all information,
 which is proof against all arguments and which cannot fail to
 keep a man in everlasting ignorance - that principle is
 contempt prior to investigation."
					Herbert Spencer

> -----Original Message-----
> From: Greg Meehan [mailto:GMeehan@...eTimeFitness.com]
> Sent: Friday, December 05, 2003 3:05 PM
> To: 3APA3A; Mr. P.Taylor
> Cc: aleph1@...urityfocus.com; bugtraq@...urityfocus.com
> Subject: RE: Websense Blocked Sites XSS
>
>
>
> FYI: You can use a customized block page in /custom that does not display
> the URL, such as creating a "Sorry, This URL is Blocked" page with your
> company's logo. Heck, you can also just edit the "master.html"
> block page in
> the /default dir to remove the URL displayed field.
>
> -Greg
>
> -----Original Message-----
> From: 3APA3A [mailto:3APA3A@...URITY.NNOV.RU]
> Sent: Friday, December 05, 2003 7:09 AM
> To: Mr. P.Taylor
> Cc: aleph1@...urityfocus.com; bugtraq@...urityfocus.com
> Subject: Re: Websense Blocked Sites XSS
>
>
> Dear Mr. P.Taylor,
>
> It  runs  error message in context of blocked site. Now lets try to find
> out possible impacts:
>
> 1.  It's  possible  to  run  javascript  on  the user host in context of
> blocked  site.  But  it's  most  likely  blocked  site is not in list of
> trusted  web  sites  on user's host, so it's impossible to get something
> different from running same script on another webpage.
>
> 2. It possible to steal cookie, submit some forms, etc, on blocked site.
> But  site  is  blocked. So, it's impossible to steal something or submit
> something to this site.
>
> Conclusion: there is no security impact
>
> Post  Conclusion: Guys, it's perfect you can find all these XSS/CSS bugs
> in  John Doe's guest books, Read-Doc-from-CDRom servers, etc. But please
> think  about  _security_  impact  before  submitting  this to _security_
> related lists.
>
> --Wednesday, December 3, 2003, 7:35:39 PM, you wrote to
> dhubbard@...sense.com:
>
>
> MPT> Websense Blocked Sites XSS
>
> MPT> Risk: High
>
> MPT> Product: Websense Enterprise v4.3.0 - v5.1 (Maybe others we only
> MPT> tested this version)
>
> MPT> Product URL: http://www.websense.com
>
> MPT> Found By: PeterT - petert@...gine-sw.com
>
> MPT> Problem:
> MPT> When Websense blocks a web site, it returns a web page to the browser
> MPT> stating
> MPT> that the site has been blocked. This error message contains the URL
> which
> MPT> was
> MPT> requested. Websense does not do any validation or encoding of the URL
> before
> MPT> returning it in the error message. This allows an attacker
> to supply a
> URL
> MPT> that
> MPT> contains script <JavaScript, ActiveX, VB). This script will
> run in the
> MPT> context
> MPT> of a server in the trusted domain and combined with other IE
> flaws can
> have
> MPT> serious consequences.
>
> MPT> We have marked this as a High risk because we believe that allowing
> MPT> attackers
> MPT> to run arbitrary programs on your desktop at will, is a serious
> problem.
>
>
> MPT> Proof of Concept:
> MPT> A URL like
> MPT> http://BlockedSite?<SCRIPT>alert('hello')</SCRIPT> will run script.
>
> MPT> Resolution:
> MPT> The vendor has come out with a patch. Notified on Nov 29, 2003.
>
> MPT> Thanks to Websense for fixing this issue.
>
> MPT> Disclaimer:
> MPT> Standard disclaimer applies. The opinions expressed in this advisory
> are
> MPT> our own and not of any company. The information within this advisory
> may
> MPT> change without notice. Use of this information constitutes acceptance
> for
> MPT> use in an AS IS condition. There are no warranties with
> regard to this
> MPT> information. In no event shall the author be liable for any damages
> MPT> whatsoever arising out of or in connection with the use or spread of
> this
> MPT> information. Any use of this information is at the user's own risk.
>
>
>
> --
> ~/ZARAZA
> Èáî ôàêòû åñòü ôàêòû, è èçëîæåíû îíè ëèøü äëÿ òîãî, ÷òîáû èõ
> ïîíÿëè è â íèõ
> ïîâåðèëè. (Òâåí)
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ