lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 7 Nov 2010 16:57:22 -0800
From: Michal Zalewski <>
To: "Full Disclosure (" <>,
	"Bugtraq (" <>
Subject: some ooold Juniper bugs (was: [Full-disclosure] ZDI-10-231: Juniper
 Secure Access Series meeting_testjava.cgi XSS Vulnerability)

This reminded me of a bunch of problems I spotted in Juniper SSL VPN a
while ago; they are apparently fixed, but I don't recall seeing any
public vendor advisory / credit for reporting them - so here you go,
even if just for the record...

These were fixed by Juniper in IVE 6.3R1, 6.2R3, 6.1R5, 6.0R8, and 5.5
R7.1 over a year ago.

1) Auth bypass - IVE permitted just about any script on the box to be
invoked without authentication by going through a
/dana-na/download/?url= hop, for example:


2) XSS flaws (which are pretty bad in SSL VPN appliances, because they
completely trash the security model of this access mode):

This worked in IVE 6.2:

This worked with IVE 5.5 & Firefox:

This worked with IVE 5.5 & MSIE:

XSS + response splitting:


And some more vanilla XSSes:




Powered by blists - more mailing lists