[NEWS] XSS Bug in NetScreen-SA 5000 Series of SSL VPN Appliance (delhomepage.cgi)

• Previous message: SecuriTeam: "[UNIX] Linux Kernel do_mremap VMA Limit Local Privilege Escalation (Technical Details)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 3 Mar 2004 11:25:24 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  XSS Bug in NetScreen-SA 5000 Series of SSL VPN Appliance (delhomepage.cgi)
------------------------------------------------------------------------

SUMMARY

A cross site scripting bug has been found in the 'delhomepage.cgi' CGI
found in NetScreen-SA 5000 Series SSL VPN appliance. The vulnerability
could alllow attackers to hijack authenticated session with the NetScreen
product.

DETAILS

Vulnerable Systems:
 * NetScreen-SA 5000 firmware version 3.3 Patch 1 (build 4797)

There exists a cross-site scripting bug in 'row' parameter of the
'delhomepage.cgi' CGI binary. This bug was discovered on an appliance
known as an "A5030-Clustered pair" running firmware version 3.3 Patch 1
(build 4797). The vulnerability may exist in other versions. This issue
may result in the theft of credentials such as session cookies, allow
hostile client-side scripts to run with unintended access privileges, or
provide a means for a "phishing" attack. Note: The 'delhomepage.cgi' is
accessible only by authenticated users.
 
Workaround:
Upgrade to the patched version of IVE software. Contact Netscreen support
for details.
 
Vendor response:
In the opinion of the author, the Netscreen corporation responded quickly
and efficiently to this issue, and clearly takes the security of their
products seriously. Netscreen should be commended for their prompt and
professional handling of the issue.
 
Disclosure Timeline:
2/6/2004 - Sent E-Mail to Sriram Ramachandran [SRamachandran -=at=-
netscreen.com] and received response. Immediately discussed issue via.
conference call. The bug was confirmed by the Netscreen staff.

2/7/2004 - Draft advisory sent to Netscreen support staff
2/9/2004 - Ongoing dialog with Netscreen on issue
2/11/2004 - Ongoing dialog with Netscreen on issue
2/18/2004 - Ongoing dialog with Netscreen on issue
2/23/2004 - Ongoing dialog with Netscreen on issue
2/25/2004 - Advisory updated based on vendor response
3/02/2004 - Final advisory released

ADDITIONAL INFORMATION

The information has been provided by <mailto:mlachniet@sequoianet.com>
Mark Lachniet.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] Linux Kernel do_mremap VMA Limit Local Privilege Escalation (Technical Details)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]