[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3FD4CF80.6020802@mightye.org>
Date: Mon, 08 Dec 2003 14:22:40 -0500
From: "Eric \"MightyE\" Stevens" <trash@...htye.org>
To: 3APA3A <3APA3A@...URITY.NNOV.RU>
Cc: "Mr. P.Taylor" <petert@...gine-sw.com>, aleph1@...urityfocus.com,
bugtraq@...urityfocus.com
Subject: Re: Websense Blocked Sites XSS
Some sites become accidentally blocked, or become blocked after they had
been previously available, and so there is a concern over cookie theft
here. Simply because you can't take advantage of this from within that
network at that time, doesn't prevent you from taking that information
elsewhere, or waiting until a more opportune time (such as when the site
becomes unblocked).
Although this is a fairly minimal security impact (especially given a
wide variety of other approaches to stealing cookies), I wouldn't say
that there is no security impact.
-Eric "MightyE" Stevens
http://lotgd.net
3APA3A wrote:
>Dear Mr. P.Taylor,
>
>It runs error message in context of blocked site. Now lets try to find
>out possible impacts:
>
>1. It's possible to run javascript on the user host in context of
>blocked site. But it's most likely blocked site is not in list of
>trusted web sites on user's host, so it's impossible to get something
>different from running same script on another webpage.
>
>2. It possible to steal cookie, submit some forms, etc, on blocked site.
>But site is blocked. So, it's impossible to steal something or submit
>something to this site.
>
>Conclusion: there is no security impact
>
>Post Conclusion: Guys, it's perfect you can find all these XSS/CSS bugs
>in John Doe's guest books, Read-Doc-from-CDRom servers, etc. But please
>think about _security_ impact before submitting this to _security_
>related lists.
>
>--Wednesday, December 3, 2003, 7:35:39 PM, you wrote to dhubbard@...sense.com:
>
>
>MPT> Websense Blocked Sites XSS
>
>MPT> Risk: High
>
>MPT> Product: Websense Enterprise v4.3.0 - v5.1 (Maybe others we only
>MPT> tested this version)
>
>MPT> Product URL: http://www.websense.com
>
>MPT> Found By: PeterT - petert@...gine-sw.com
>
>MPT> Problem:
>MPT> When Websense blocks a web site, it returns a web page to the browser
>MPT> stating
>MPT> that the site has been blocked. This error message contains the URL which
>MPT> was
>MPT> requested. Websense does not do any validation or encoding of the URL before
>MPT> returning it in the error message. This allows an attacker to supply a URL
>MPT> that
>MPT> contains script <JavaScript, ActiveX, VB). This script will run in the
>MPT> context
>MPT> of a server in the trusted domain and combined with other IE flaws can have
>MPT> serious consequences.
>
>MPT> We have marked this as a High risk because we believe that allowing
>MPT> attackers
>MPT> to run arbitrary programs on your desktop at will, is a serious problem.
>
>
>MPT> Proof of Concept:
>MPT> A URL like
>MPT> http://BlockedSite?<SCRIPT>alert('hello')</SCRIPT> will run script.
>
>MPT> Resolution:
>MPT> The vendor has come out with a patch. Notified on Nov 29, 2003.
>
>MPT> Thanks to Websense for fixing this issue.
>
>MPT> Disclaimer:
>MPT> Standard disclaimer applies. The opinions expressed in this advisory are
>MPT> our own and not of any company. The information within this advisory may
>MPT> change without notice. Use of this information constitutes acceptance for
>MPT> use in an AS IS condition. There are no warranties with regard to this
>MPT> information. In no event shall the author be liable for any damages
>MPT> whatsoever arising out of or in connection with the use or spread of this
>MPT> information. Any use of this information is at the user's own risk.
>
>
>
>
>
Powered by blists - more mailing lists