lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2526662.20031205160908@SECURITY.NNOV.RU>
Date: Fri, 5 Dec 2003 16:09:08 +0300
From: 3APA3A <3APA3A@...URITY.NNOV.RU>
To: "Mr. P.Taylor" <petert@...gine-sw.com>
Cc: aleph1@...urityfocus.com, bugtraq@...urityfocus.com
Subject: Re: Websense Blocked Sites XSS


Dear Mr. P.Taylor,

It  runs  error message in context of blocked site. Now lets try to find
out possible impacts:

1.  It's  possible  to  run  javascript  on  the user host in context of
blocked  site.  But  it's  most  likely  blocked  site is not in list of
trusted  web  sites  on user's host, so it's impossible to get something
different from running same script on another webpage.

2. It possible to steal cookie, submit some forms, etc, on blocked site.
But  site  is  blocked. So, it's impossible to steal something or submit
something to this site.

Conclusion: there is no security impact

Post  Conclusion: Guys, it's perfect you can find all these XSS/CSS bugs
in  John Doe's guest books, Read-Doc-from-CDRom servers, etc. But please
think  about  _security_  impact  before  submitting  this to _security_
related lists.

--Wednesday, December 3, 2003, 7:35:39 PM, you wrote to dhubbard@...sense.com:


MPT> Websense Blocked Sites XSS

MPT> Risk: High

MPT> Product: Websense Enterprise v4.3.0 - v5.1 (Maybe others we only
MPT> tested this version)

MPT> Product URL: http://www.websense.com

MPT> Found By: PeterT - petert@...gine-sw.com

MPT> Problem:
MPT> When Websense blocks a web site, it returns a web page to the browser
MPT> stating
MPT> that the site has been blocked. This error message contains the URL which
MPT> was
MPT> requested. Websense does not do any validation or encoding of the URL before
MPT> returning it in the error message. This allows an attacker to supply a URL
MPT> that
MPT> contains script <JavaScript, ActiveX, VB). This script will run in the
MPT> context
MPT> of a server in the trusted domain and combined with other IE flaws can have
MPT> serious consequences.

MPT> We have marked this as a High risk because we believe that allowing
MPT> attackers
MPT> to run arbitrary programs on your desktop at will, is a serious problem.


MPT> Proof of Concept:
MPT> A URL like
MPT> http://BlockedSite?<SCRIPT>alert('hello')</SCRIPT> will run script.

MPT> Resolution:
MPT> The vendor has come out with a patch. Notified on Nov 29, 2003.

MPT> Thanks to Websense for fixing this issue.

MPT> Disclaimer:
MPT> Standard disclaimer applies. The opinions expressed in this advisory are
MPT> our own and not of any company. The information within this advisory may
MPT> change without notice. Use of this information constitutes acceptance for
MPT> use in an AS IS condition. There are no warranties with regard to this
MPT> information. In no event shall the author be liable for any damages
MPT> whatsoever arising out of or in connection with the use or spread of this
MPT> information. Any use of this information is at the user's own risk.



-- 
~/ZARAZA
Èáî ôàêòû åñòü ôàêòû, è èçëîæåíû îíè ëèøü äëÿ òîãî, ÷òîáû èõ ïîíÿëè è â íèõ ïîâåðèëè. (Òâåí)



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ