lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201311111419.rABEJxSH017811@sf01web1.securityfocus.com>
Date: Mon, 11 Nov 2013 14:19:59 GMT
From: info@...reabodei.com
To: bugtraq@...urityfocus.com
Subject: XSS on Juniper JUNOS 11.4 Embedthis Appweb 3.2.3

Vulnerability Type: (XSS) Cross-Site Scripting

- Original release date: November 11th, 2013
- Last revised: November 11th, 2013
- Discovered by: Andrea Bodei - A2SECURE
- Severity: 4.3/10 (CVSSv2 Base Scored)

Products and affected versions:
JUNOS up to 11.4 (probably 12.1 and 12.3 vulnerable)

Vulnerability Discovered by: Andrea Bodei - info@...reabodei.com
Company: A2SECURE - Espaņa
A2Secure Website: http://www.A2secure.com
Vendor Website: http://www.juniper.net
Application Website: http://freecode.com/projects/appweb



======================
Background
======================

Juniper Networks, Inc. is an American manufacturer of networking equipment founded in 1996 by Mark Burke. It is headquartered in Sunnyvale, California, USA. The company designs and sells high-performance Internet Protocol network products and services. Juniper's main products include T-series, M-series, E-series, MX-series, and J-series families of routers, EX-series Ethernet switches and SRX-series security products. Junos, Juniper's own network operating system, runs on most Juniper products.



======================
Vulnerability Details
======================

JUNOS versions 11.4, 12.1 can be managed by a web login on HTTPS port 443 through EmbedThis AppWeb Webserver 3.2.3 that is prone to (XSS) Cross Site Vulnerability in the index.php "error" parameter due to insufficient sanitising of special characters that allows to execute arbitrary scripts in the context of the user's browser.
This vulnerability could be exploited to manipulate a client session, steal tokens, steal credentials, execute administrative task, impersonate a legitimate user, perform transactions as that user or for phishing.
Juniper should try to upgrade it's OS with latest release of EmbedThis 4.4.1 or better and implement a special characters filtering




======================
Proof Of Concepts
======================

This URLs just pop up a custom number/lecter/word/phrase:

https://xxx.xxx.xxx.xxx/index.php?name=Your_Account&error=1%22%3E%3Cscript%3Ealert%281538%29%3C%2Fscript%3E&uname=bGF

https://xxx.xxx.xxx.xxx/index.php?name=Your_Account&error=1%22%3E%3Cscript%3Ealert%28"HACKED"%29%3C%2Fscript%3E&uname=bGF



======================
Credits/Author
======================

Andrea Bodei
A2Secure.com



======================
Disclaimer
======================

All information is provided without warranty. The intent is to provide information to secure infrastructure and/or systems, not to be able to attack or damage. Therefore A2Secure shall not be liable for any direct or indirect damages that might be caused by using this information.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ