lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 13 Mar 2014 17:14:38 -0300
From: William Costa <william.costa@...il.com>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: WatchGuard Fireware XTM devices contain a
 cross-site scripting vulnerability (CVE-2014-0338)

I. VULNERABILITY

-------------------------

Reflected XSS Attacks vulnerabilities in WatchGuard XTM 11.8




II. BACKGROUND

-------------------------

WatchGuard builds affordable, all-in-one network and content security
solutions to provide defense in depth for corporate content, networks and
the businesses they power.

III. DESCRIPTION

-------------------------

Has been detected a Reflected XSS vulnerability in XTM WatchGuard.

The code injection is done through the parameter "poll_name" in the
page "/firewall/policy?pol_name=(HERE XSS)"



IV. PROOF OF CONCEPT

-------------------------

The application does not validate the parameter "poll_name" correctly.

https://10.200.210.100:8080/firewall/policy?pol_name=qqq"><body
onload=alert(document.cookie)>&service=Any&is_new=1



V. BUSINESS IMPACT

-------------------------

An attacker can execute arbitrary HTML or script code in a targeted

user's browser, that allows the execution of arbitrary HTML/script
code to be executed in the context of the victim user's browser
allowing Cookie Theft/Session Hijacking, thus enabling full access the
box.



VI. SYSTEMS AFFECTED

-------------------------

Tested WatchGuard XTM Version: 11.8 (Build 432340)





VII. SOLUTION
-------------------------

All data received by the application and can be modified by the user,

before making any kind of transaction with them must be validated


VIII. References
-------------------------
http://www.kb.cert.org/vuls/id/807134
http://watchguardsecuritycenter.com/2014/03/13/fireware-xtm-11-8-3-update-corrects-xss-flaw/


By William Costa

william.costa@...il.com

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists