NetScreen Advisory 58412: XSS Bug in NetScreen-SA SSL VPN
From: NetScreen Security Response Team (security-alert_at_netscreen.com)
Date: Thu, 4 Mar 2004 10:56:04 -0800 To: firstname.lastname@example.org, email@example.com
-----BEGIN PGP SIGNED MESSAGE-----
Title: NetScreen Advisory 58412
Date: 02 March 2004
Impact: Possible theft of user credentials and remote script execution.
Affected Products: NetScreen IVE running version 3.0 to 3.3.1.
Max Risk: Low
A cross-site scripting (XSS) vulnerability was discovered during an
external security audit of release 3.3 Patch 1 of the IVE. This
vulnerability affects customers using all versions of the IVE Platform
since 3.0. At this time there have been no reports of customers
compromised due to this IVE vulnerability.
There exists a cross-site scripting bug in 'row' parameter of the
'delhomepage.cgi' URL. This issue may result in the theft of
credentials such as session cookies and allow hostile client-side
scripts to run with unintended access privileges. The scope of the
problem is limited because only authenticated users can access the
NetScreen has security patches available to address this vulnerability.
We highly recommend that you upgrade your IVE to a patch corresponding
to your currently installed release.
Install the appropriate patch corresponding to your currently installed
Getting Fixed Software for NetScreen IVE Products:
NetScreen is offering free fixes for IVE versions 3.2.1 through 3.3.1
for all customers, regardless of service contract status. The following
security releases which contain the fix for this issue are available
on the NetScreen support site for all customers.
Updates available immediately:
- - 3.2.1 Patch 1-S2 (Build 5633)
- - 3.3-S1 (Build 5607)
- - 3.3 Patch 1-S1 (Build 5605)
- - 3.3.1-S1 (Build 5651)
Customers may download the above patches on the NetScreen IVE support
website at https://support.neoteris.com.
Customers with further questions may contact the NetScreen IVE Technical
Assistance Center at 408-543-2991 (Option 2) or send email to
This advisory as well as any future updates will be made available
through the NetScreen Security Notices webpage:
If you wish to verify the validity of this Security Advisory, the
public PGP key can be accessed at:
Thanks to Mark Lachniet of Analysts International
[lachniet -=at=- analysts.com] for reporting this issue and working
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: NetScreen Security Response Team <firstname.lastname@example.org>
-----END PGP SIGNATURE-----