SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Device (Embedded Server/Appliance)  >   Sophos UTM (Astaro Security Gateway) Vendors:   Astaro
Astaro Security Gateway Input Validation Flaw in Comment Field Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1027140
SecurityTracker URL:  http://securitytracker.com/id/1027140
CVE Reference:   CVE-2012-3238   (Links to External Site)
Date:  Jun 11 2012
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 8.304 and prior versions
Description:   A vulnerability was reported in Astaro Security Gateway. A remote user can conduct cross-site scripting attacks.

The management interface does not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the Astaro Security Gateway interface and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The 'Comment (optional)' field in the 'Available backups' view is affected.

The vendor was notified on May 12, 2012.

The original advisory is available at:

http://security.inshell.net/advisory/27

Julien Ahrens from Inshell Security reported this vulnerability.
Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the Astaro Security Gateway interface, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a fix (8.305).

The vendor's advisory is available at:

http://www.astaro.com/en-uk/blog/up2date/8305
Vendor URL:  www.astaro.com/en-uk/blog/up2date/8305 (Links to External Site)
Cause:   Input validation error
Underlying OS:  

Message History:   None.

 Source Message Contents
Date:  Sun, 10 Jun 2012 14:15:59 +0200
Subject:  [Full-disclosure] [CVE-2012-3238] Astaro Security Gateway <= v8.304 Persistent Cross-Site Scripting Vulnerability

Inshell Security Advisory
http://www.inshell.net/


1. ADVISORY INFORMATION
-----------------------
Product:        Astaro Security Gateway
Vendor URL:     www.astaro.com / www.sophos.com
Type:           Cross-site Scripting [CWE-79]
Date found:     2012-05-11
Date published: 2012-06-10
CVSSv2 Score:   3,5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CVE:            CVE-2012-3238


2. CREDITS
----------
This vulnerability was discovered and researched by Julien Ahrens from
Inshell Security.


3. VERSIONS AFFECTED
--------------------
Astaro Security Gateway v8.304, older versions are affected too.


4. VULNERABILITY DESCRIPTION
----------------------------
A Persistent Cross-Site Scripting Vulnerability has been found on the
Astaro Security Gateway product.

The vulnerability is located in the backup-function of the software:

Vulnerable Module(s):
+Management -> Backup/Restore
 Parameter: "Comment (optional)"

The input field "Comment (optional)" is shown on the "Available backups"
view after successful creation of a new backup and is also included into
the backup-file itself.

Due to improper input - validation of this input field, an attacker
could permanently inject arbitrary code with required user interaction
into the context of the firewall-interface. Successful exploitation of
the vulnerability allows for example cookie theft, session hijacking or
server side context manipulation.


5. PROOF-OF-CONCEPT (CODE / EXPLOIT)
------------------------------------
An attacker needs to force the victim to import an arbitrary
backup-file. The victim does not need to apply the backup, only the
import is required to exploit the vulnerability.

For further information (screenshots, PoCs etc.) visit:
http://security.inshell.net/advisory/27


6. SOLUTION
-----------
Update to v8.305.


7. REPORT TIMELINE
------------------
2012-05-12: Initial notification sent to vendor
2012-05-12: Vendor response
2012-05-12: Vulnerability details reported to vendor
2012-05-15: Vendor acknowledgement
2012-05-31: Vendor releases Update / Fix
2012-06-10: Coordinated public release of advisory


8. REFERENCES
-------------
http://www.astaro.com/en-uk/blog/up2date/8305
http://security.inshell.net

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC