Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Symantec Gateway Security Input Validation Flaw Permits Remote Cross-Site Scripting and Administrative Session Hijacking
|
|
SecurityTracker Alert ID: 1009231
|
|
CVE Reference: CAN-2004-0192
(Links to External Site)
|
Updated: Mar 4 2004
|
Original Entry Date: Feb 26 2004
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 2.0
|
Description: An input validation vulnerability was reported in Symantec Gateway Security. A remote user can conduct cross-site scripting attacks to hijack an administrative session.
Brian Soby of Raytheon reported that the server does not properly filter HTML code from URLs when displaying an error page containing
the URL.
A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting
code to be executed by the target user's browser. The code will originate from the site running the Symantec Gateway Security software
and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including
authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the
site, or take actions on the site acting as the target user.
A demonstration exploit URL is provided:
https://FirewallHostname:2456/sgmi/<script>badscript</script>
According to the report, a remote user can exploit this flaw to obtain the JSESSIONID authentication cookie and hijack an administrative
session.
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the
Symantec Gateway Security software, access data recently submitted by the target user via web form to the site, or take actions
on the site acting as the target user. A remote user can hijack an administrative session.
|
Solution: The vendor has issued a fix, available at:
http://www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sym_gw_security_2_5400/files.html
The fix is listed under hotfix ID SG8000-20040130-00.
|
Vendor URL: www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sym_gw_security_2_5400/files.html (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Windows (Any)
|
Reported By: Brian_J_Soby@raytheon.com
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 26 Feb 2004 17:41:43 -0500
From: Brian_J_Soby@raytheon.com
Subject: [Full-Disclosure] Symantec Gateway Security Management Service Cross Site Scripting
|
This is a multipart message in MIME format.
--=_alternative 007CABAA85256E46_=
Content-Type: text/plain; charset="us-ascii"
Symantec Gateway Security Management Service Cross Site Scripting
Product: Symantec Gateway Security 2.0
Date: 02/25/2004
Author: Brian Soby, Raytheon
1. Overview
----------------------------------------
A cross site scripting vulnerability exists in Symantec Gateway Security's
management service which could allow an attacker to hijack a management
session to the device.
2. Vulnerability Description
----------------------------------------
A vulnerability exists in the Symantec Gateway Security management server
object's handling of URLs when including them in error pages displayed to
the requesting client. No parsing is done to the URLs to ensure that HTML
tags are not included and returned to the client.
3. Conditions
---------------------------------------
The URL requested by the client must be handled by the Symantec Gateway
Security's custom server object. For example, any request for an object
under the /sgmi directory is passed to the Symantec Gateway Security
server object for processing. The attacker could present a URL in the form
of https://FirewallHostname:2456/sgmi/<script>badscript</script> to the
client. SGS would display the URL back to the client, usually in a 404
page or other error page, causing the execution of the script "badscript"
in the context of the SGS device.
4. Impact
--------------------------------------
Malicious script can be executed in the context of a trusted device,
authentication cookies can be stolen (including JSESSIONID cookie used to
authenticate a management session), etc. Because no access control policy
restricts the access to the management service by default, an attacker who
is able to obtain the JSESSIONID cookie for a valid session could connect
from an untrusted network and assume management rights of the device.
5. Solution
--------------------------------------
Symantec has released a patch that addresses this issue. It is available
at
http://www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sym_gw_security_2_5400/file
s.html
under hotfix ID SG8000-20040130-00. This problem is described in the
hotfix readme as a fix that "Changes the return page when management URL
is requested incorrectly"
6. Disclaimer
--------------------------------------
The information in this advisory is believed to be accurate at the time of
publishing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition. There
are no warranties, expressed or implied, with regard to this information.
In no event shall the author be liable for any damages whatsoever arising
out of or in connection with this information.
7. Copyright
--------------------------------------
Copyright (c) 2004 Raytheon. Permission is hereby granted to redistribute
this alert electronically, provided it is left whole and not modified in
any way.
--=_alternative 007CABAA85256E46_=
Content-Type: text/html; charset="us-ascii"
<br><font size=2 face="Courier New">Symantec Gateway Security Management Servic
e Cross Site Scripting<br>
<br>
Product: Symantec Gateway Security 2.0<br>
Date: 02/25/2004</font>
<br><font size=2 face="Courier New">Author: Brian Soby, Raytheon</font>
<br><font size=2 face="Courier New"><br>
<br>
1. Overview<br>
----------------------------------------<br>
A cross site scripting vulnerability exists in Symantec Gateway Security's management service which c
ould allow an attacker to hijack
a management session to the device.<br>
<br>
2. Vulnerability Description<br>
----------------------------------------<br>
A vulnerability exists in the Symantec Gateway Security management server object's handling of URLs w
hen including them in error pages
displayed to the requesting client. No parsing is done to the URLs to ensure that HTML tag
s are not included and returned to
the client.<br>
<br>
3. Conditions<br>
---------------------------------------<br>
The URL requested by the client must be handled by the Symantec Gateway Security's custom server obje
ct. For example, any request
for an object under the /sgmi directory is passed to the Symantec Gateway Security server object for
processing. The attacker could
present a URL in the form of https://FirewallHostname:2456/sgmi/<script>badscript&
lt;/script> to the client. SGS would
display the URL back to the client, usually in a 404 page or other error page, causing the execution
of the script "badscript"
in the context of the SGS device.<br>
<br>
4. Impact<br>
--------------------------------------<br>
Malicious script can be executed in the context of a trusted device, authentication cookies can be st
olen (including JSESSIONID cookie
used to authenticate a management session), etc. Because no access control policy restrict
s the access to the management service
by default, an attacker who is able to obtain the JSESSIONID cookie for a valid session could connec
t from an untrusted network and
assume management rights of the device.</font>
<br><font size=2 face="Courier New"><br>
5. Solution<br>
--------------------------------------<br>
Symantec has released a patch that addresses this issue. It is available at<br>
http://www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sym_gw_security_2_5400/file
s.html under hotfix ID SG8000-20040130-00.
This problem is described in the hotfix readme as a fix that "Changes the return
page when management URL is requested
incorrectly"<br>
<br>
6. Disclaimer<br>
--------------------------------------<br>
The information in this advisory is believed to be accurate at the time of publishing based on curren
tly available information. Use
of the information constitutes acceptance for use in an AS IS condition. There are no warr
anties, expressed or implied, with
regard to this information. In no event shall the author be liable for any damages whatsoever arisin
g out of or in connection with
this information.<br>
<br>
7. Copyright<br>
--------------------------------------<br>
Copyright (c) 2004 Raytheon. Permission is hereby granted to redistribute this alert electr
onically, provided it is left whole
and not modified in any way.</font>
--=_alternative 007CABAA85256E46_=--
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
Go to the Top of This SecurityTracker Archive Page
|
