SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Security)  >  Norton Internet Security Vendors:  Symantec
Symantec Norton Internet Security Blocked Page Message Lets Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1008010
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 27 2003
Impact:  Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Version(s): 6.0.4.34
Description:  An input validation vulnerability was reported in Symantec's Norton Internet Security 2003. A remote user can conduct cross-site scripting attacks.

DigitalPranksters reported that when Norton Internet Security blocks a particular URL, a page displays the blocked URL but does not filter HTML code from the URL. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will run in the security context of the blocked site. As a result, the code may be able to access the target user's cookies (including authentication cookies), if any, associated with unblocked portions of the site, access data recently submitted by the target user via web form to the unblocked portions of the site, or take actions on the unblocked portions of the site acting as the target user.
Impact:  A remote user can access the target user's cookies (including authentication cookies), if any, associated with a blocked site, access data recently submitted by the target user via web form to the unblocked portions of the site, or take actions on the unblocked portions of the site acting as the target user.
Solution:  The vendor has released a fixed version, available via LiveUpdate.
Vendor URL:  www.symantec.com/sabu/nis/nis_pe/index.html (Links to External Site)
Cause:  Input validation error
Underlying OS:  Windows (Any)
Reported By:  DigitalPranksters <secteam@digitalpranksters.com>
Message History:   This archive entry has one or more follow-up message(s) listed below.
Oct 28 2003 (Vendor Confirms) Re: Symantec Norton Internet Security Blocked Page Message Lets Remote Users Conduct Cross-Site Scripting Attacks   (Sym Security <symsecurity@symantec.com>)
The vendor confirms the vulnerability and reports of a pending fix.


 Source Message Contents
Date:  Mon, 27 Oct 2003 13:26:31 -0600 (CST)
From:  DigitalPranksters <secteam@digitalpranksters.com>
Subject:  Norton Internet Security 2003 XSS

 

DigitalPranksters Security Advisory
http://www.DigitalPranksters.com

Norton Internet Security Blocked Sites XSS 

Risk: Low

Product: Norton Internet Security 2003 v6.0.4.34 (Maybe others we only 
tested this version)

Product URL: http://www.symantec.com/sabu/nis/nis_pe/index.html

Found By: KrazySnake - krazysnake@digitalpranksters.com

Problem:
When Norton Internet Security 2003 blocks a web site, it returns a web 
page to the browser stating that the site has been blocked. This error 
message contains the URL which was requested. Norton Internet Security 
2003 appears to do no validation or encoding of the URL before returning 
it in the error message. This allows an attacker to supply a URL that 
contains script. This script will run in the context of the blocked site.

We have marked this as a low risk because we believe in most situations, 
there will be little information of interest since the site is normally 
blocked (browser cookies from the blocked site probably do not exist, 
etc). However this does allow sites that are blocked to run script on the 
victim's machine when it shouldn't be allowed.

The HTML returned by Norton Internet Security 2003 when a site is blocked 
looks like the following:

<html><head><title>Site Blocked</title></head><body>
<br><b>Norton Internet Security has blocked access to this restricted
site.</b><br><hr><br>
<p><b>Site:
</b>http://server/page.cgi?<SCRIPT>alert(document.domain)</SCRIPT></p>
<p><b>Blocked categories: </b>xxxxxxxxx</p>
<p>If you think this web site is incorrectly categorized, visit the
Symantec <a 
href="http://www.symantec.com/avcenter/cgi-bin/nisurl.cgi?lang=EN&unblock=xxxxxxxxx">
Internet
Security Center</a> to report it.</p>
</body></html>

Proof of Concept:
A URL like 
http://BlockedSite/page.cgi?<SCRIPT>alert(document.domain)</SCRIPT> will 
run script.

Resolution:
The fix is now available through the product's LiveUpdate functionality.

Greetings:
SkippyInside, AngryB, and Harmo. 
Thanks to Symantec for fixing this issue.

Disclaimer:
Standard disclaimer applies. The opinions expressed in this advisory are 
our own and not of any company. The information within this advisory may 
change without notice. Use of this information constitutes acceptance for 
use in an AS IS condition. There are no warranties with regard to this 
information. In no event shall the author be liable for any damages 
whatsoever arising out of or in connection with the use or spread of this 
information. Any use of this information is at the user's own risk.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC