Norton Internet Security Blocked Sites XSS

• Previous message: James Foster: "Foundstone Labs to Release Absolutely FREE Tool"
• Next in thread: Sym Security: "Re: Norton Internet Security Blocked Sites XSS"
• Maybe reply: Sym Security: "Re: Norton Internet Security Blocked Sites XSS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Mon, 27 Oct 2003 13:27:54 -0600
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

DigitalPranksters Security Advisory
http://www.DigitalPranksters.com

Norton Internet Security Blocked Sites XSS

Risk: Low

Product: Norton Internet Security 2003 v6.0.4.34 (Maybe others we only
tested this version)

Product URL: http://www.symantec.com/sabu/nis/nis_pe/index.html

Found By: KrazySnake - krazysnake@digitalpranksters.com

Problem:
When Norton Internet Security 2003 blocks a web site, it returns a web
page to the browser stating that the site has been blocked. This error
message contains the URL which was requested. Norton Internet Security
2003 appears to do no validation or encoding of the URL before returning
it in the error message. This allows an attacker to supply a URL that
contains script. This script will run in the context of the blocked site.

We have marked this as a low risk because we believe in most situations,
there will be little information of interest since the site is normally
blocked (browser cookies from the blocked site probably do not exist,
etc). However this does allow sites that are blocked to run script on the
victim's machine when it shouldn't be allowed.

The HTML returned by Norton Internet Security 2003 when a site is blocked
looks like the following:

<html><head><title>Site Blocked</title></head><body>
<br><b>Norton Internet Security has blocked access to this restricted
site.</b><br><hr><br>
<p><b>Site:
</b>http://server/page.cgi?>alert(document.domain)</SCRIPT></p>
<p><b>Blocked categories: </b>xxxxxxxxx</p>
<p>If you think this web site is incorrectly categorized, visit the
Symantec <a
href="http://www.symantec.com/avcenter/cgi-bin/nisurl.cgi?lang=EN&unblock=xxxxxxxxx">Internet
Security Center</a> to report it.</p>
</body></html>

Proof of Concept:
A URL like
http://BlockedSite/page.cgi?>alert(document.domain)</SCRIPT> will
run script.

Resolution:
The fix is now available through the product's LiveUpdate functionality.

Greetings:
SkippyInside, AngryB, and Harmo.
Thanks to Symantec for fixing this issue.

Disclaimer:
Standard disclaimer applies. The opinions expressed in this advisory are
our own and not of any company. The information within this advisory may
change without notice. Use of this information constitutes acceptance for
use in an AS IS condition. There are no warranties with regard to this
information. In no event shall the author be liable for any damages
whatsoever arising out of or in connection with the use or spread of this
information. Any use of this information is at the user's own risk.

----
NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
code "NT1003" when registering to take the TICSA exam at www.2test.com.
Prove to your employer and peers that you have the knowledge and
abilities to be an active stakeholder in today's enterprise security.
Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
12/31/03 and cannot be used in combination with other offers.
----

• Previous message: James Foster: "Foundstone Labs to Release Absolutely FREE Tool"
• Next in thread: Sym Security: "Re: Norton Internet Security Blocked Sites XSS"
• Maybe reply: Sym Security: "Re: Norton Internet Security Blocked Sites XSS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Norton Internet Security 2003 XSS ... Norton Internet Security Blocked Sites XSS ... When Norton Internet Security 2003 blocks a web site, ... This script will run in the context of the blocked site. ... We have marked this as a low risk because we believe in most situations, ... (Bugtraq) [Full-Disclosure] NAV 2003 vuln ... PRODUCT URL: http://www.symantec.com/sabu/nis/nis_pe/index.html ... When Norton Internet Security 2003 blocks a web site, ... This allows an attacker to supply a URL that contains script. ... We have marked this as a low risk because we believe in most situations, ... (Full-Disclosure) Re: Symantec: Strongest protection against 0-day bank malware ... Risk Name: Hacktool.Rootkit ... Topletz is dumb, but not that dumb. ... (alt.privacy) Symantec: Strongest protection against 0-day bank malware ... Norton Internet Security 2007 detects and blocks a rootkit: ... Risk Name: Hacktool.Rootkit ... Risk Category: Virus ... (alt.privacy) Re: IE 6 & Norton ... > After installing Norton Internet Security some web pages, ... In this web site there are drop down menus which no ... are you allowing Active Scripting on this security zone? ... (microsoft.public.windows.inetexplorer.ie6.browser)