[<prev] [next>] [day] [month] [year] [list]
Message-ID: <0FD9D979B9535D4890AE309799B6D1E55C5D13@lansingemail.seqnt.com>
Date: Tue, 2 Mar 2004 09:03:26 -0500
From: "Lachniet, Mark" <mlachniet@...uoianet.com>
To: <bugtraq@...urityfocus.com>, <full-disclosure@...ts.netsys.com>
Subject: 03-02-04 XSS Bug in NetScreen-SA 5000 Series of SSL VPN appliance
TITLE: 03-02-04 XSS Bug in NetScreen-SA 5000 Series of SSL VPN
appliance
SUMMARY
Cross Site Scripting bug in the 'delhomepage.cgi' CGI binary in the
Netscreen
NetScreen-SA 5000 Series SSL VPN appliance.
DETAILS
There exists a cross-site scripting bug in 'row' parameter of the
'delhomepage.cgi' CGI binary. This bug was discovered on an appliance
known as an "A5030-Clustered pair" running firmware version 3.3 Patch
1
(build 4797). The vulnerability may exist in other versions. This
issue
may result in the theft of credentials such as session cookies, allow
hostile client-side scripts to run with unintended access privileges,
or
provide a means for a "phishing" attack. For more detailed
descriptions
of Cross Site Scripting and its implications, please refer to
whitepapers
such as:
http://www.cgisecurity.com/articles/xss-faq.shtml
<http://www.cgisecurity.com/articles/xss-faq.shtml>
http://www.spidynamics.com/whitepapers/SPIcross-sitescripting.pdf
<http://www.spidynamics.com/whitepapers/SPIcross-sitescripting.pdf>
The 'delhomepage.cgi' is accessible only by authenticated users.
WORKAROUND
Upgrade to the patched version of IVE software. Contact Netscreen
support
for details.
ORIGINATOR
The issue was discovered by Mark Lachniet of Analysts International
[lachniet -=at=- analysts.com] during a security analysis of the web
application interface of the device. Analysts International's
security
team provides a variety of security services and can be reached at
[SecurityServices -=at=- analysts.com].
MAINTAINER
The maintainer of the Netscreen IVE SSL VPN Appliance is the Netscreen
Corporation [http://www.netscreen.com]. The following information
about
security at Netscreen is taken from the Security Center web page at:
http://www.netscreen.com/services/security/index.jsp
<http://www.netscreen.com/services/security/index.jsp>
"Please report any potential or real instances of a security
vulnerability
(with any NetScreen product or service) to the NetScreen Security
Alert
Team at security@...screen.com <mailto:security@...screen.com> . For
immediate assistance, TAC is available
24 hours a day by calling 1-877-NETSCREEN."
VENDOR RESPONSE
In the opinion of the author, the Netscreen corporation responded
quickly and
efficiently to this issue, and clearly takes the security of their
prodcuts
seriously. Netscreen should be commended for their prompt and
professional
handling of the issue.
DATE OF CONTACT
2/6/2004 - Sent E-Mail to Sriram Ramachandran [SRamachandran -=at=-
netscreen.com]
and received response. Immediately discussed issue via. conference
call.
The bug was confirmed by the Netscreen staff.
2/7/2004 - Draft advisory sent to Netscreen support staff
2/9/2004 - Ongoing dialog with Netscreen on issue
2/11/2004 - Ongoing dialog with Netscreen on issue
2/18/2004 - Ongoing dialog with Netscreen on issue
2/23/2004 - Ongoing dialog with Netscreen on issue
2/25/2004 - Advisory updated based on vendor response
3/02/2004 - Final advisory released
Content of type "text/html" skipped
Powered by blists - more mailing lists