SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Firewall)  >   CyberGuard Vendors:   CyberGuard
CyberGuard Firewall Proxy Error Page Input Validation Flaw May Permit Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1008526
SecurityTracker URL:  http://securitytracker.com/id/1008526
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Jan 21 2004
Original Entry Date:  Dec 20 2003
Impact:   Not specified
Exploit Included:  Yes  
Version(s): 5.1
Description:   An input validation vulnerability was reported in the CyberGuard firewall in the HTTP proxy. A remote user can conduct cross-site scripting attacks.

[Editor's note: The vendor has reported that the management of the firewall (including the proxy) is performed via an SSL-enabled Java applet and is not performed in the context of a general browser window. Administrator credentials are not stored within browser cookies and administrative actions are not performed via a web browser. As a result, browser-based HTML scripting attacks against administrators are unlikely to have a security impact (the vendor states that there is definitively no impact). Based on this, we had originally decided to remove the alert from our database. However, the author maintains that the behavior is described accurately. So, we are investigating the matter to determine the exact security impact.]

It is reported that the CyberGuard HTTP proxy does not filter HTML code from user-supplied URLs when displaying error pages for URLs with invalid domains. A remote user can create a specially crafted URL (with an invalid domain name) that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the proxy and may run in the security context of the proxy. As a result, the code may be able to access the target user's cookies (including authentication cookies), if any, associated with the proxy, access data recently submitted by the target user via web form to the proxy, or take actions on the proxy acting as the target user.

http://domain.tld<script>alert('test')</script>

It is reported that a remote user can cause images to be loaded on the error page.

Impact:   [Editor's note: The security impact is under investigation.]
Solution:   No solution was available at the time of this entry.

The vendor reports that the proxy error pages can be configured so that the pages will not display the requested URL.

Vendor URL:  www.cyberguard.com/ (Links to External Site)
Cause:   Input validation error

Message History:   None.


 Source Message Contents

Subject:  CyberGuard proxy / firewall XSS




Overview:

Vendor : CyberGuard
URL    : <A HREF="http://www.cyberguard.com">http://www.cyberguard.com</A>
Version: 5.1 - Other versions have not been not tested
Issue  : Cross Site Script
Impact : Low - Medium

Description:

<A HREF="http://www.cyberguard.com/solutions/product_overview.cfm">Overview of product</A>

Problem:

By issuing a GET request for an invalid Internet domain name <A HREF="http://domain.tld">http://domain.tld</A> through the CyberGuard
 proxy from an internal network to the Internet, it is possible to append a basic syntax for a Cross Site Script...

For instance: <A HREF="http://domain.tld&lt;script&gt;alert('test')&lt;/script&gt;">Click here</A>.

Variants have been tested and it is possible to also include images on the error page.

For instance: it is possible to specify an image with the &lt;img src&gt; tag while also specifying a Cross Site Script - in the same
 address &lt;script&gt;alert('test')&lt;/script&gt;

Should you be 'vulnerable' to the CyberGuard proxy / firewall CSS then you should see a similar page or a variant depending on the
 configuaration.

As http (through the GUI) can be used as a mechanism whereby access to the the logs can be viewed, it may be possible for a miscreant
 to, through the usual obfuscation methods (encoding types) trick an administrator of the CyberGuard proxy / firewall into clicking
 on a Cross Site Script to gain privileged user credentials by specifying the (document.cookie) with a refer to a file where the user
 credentials can be collected for the purpose of executing by loading the credentials into the Achilies (or similar) proxy.

Note: this method of attack is yet untested.

Possible Solution:

Input validation of code executed on the CyberGuard proxy / firewall.
Configure the Cyberguard proxy / firewall so that management access can only be accessed via SSH.

Solution:

See Vendor for solution.

Vendor Notification:

Yes

Credit:

Everyone doing IT Security

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC