SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Encryption/VPN)  >   Pulse Connect Secure (formerly Juniper Pulse Secure) Vendors:   Juniper
Juniper Secure Access Input Validation Hole in 'meeting_testjava.cgi' Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1024692
SecurityTracker URL:  http://securitytracker.com/id/1024692
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 8 2010
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 6.5r7 and 7.0r3
Description:   A vulnerability was reported in Juniper Secure Access. A remote user can conduct cross-site scripting attacks.

The 'meeting_testjava.cgi' script does not properly filter HTML code from user-supplied input before displaying the input. A remote user can supply a specially crafted DSID HTTP header value to cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the device and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Davy Douhine reported this vulnerability via TippingPoint's Zero Day Initiative.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the device, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a fix (IVE OS versions 6.5r7 and 7.0r3).
Vendor URL:  www.juniper.net/ (Links to External Site)
Cause:   Input validation error

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] ZDI-10-231: Juniper Secure Access Series meeting_testjava.cgi XSS Vulnerability

--===============0470501750==
Content-Language: en-US
Content-Type: multipart/alternative;
	boundary="_000_EE499D69B3D0714590B6FE9762B0461104BF3274C1emb01unityloc_"

--_000_EE499D69B3D0714590B6FE9762B0461104BF3274C1emb01unityloc_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

ZDI-10-231: Juniper Secure Access Series meeting_testjava.cgi XSS Vulnerabi=
lity

http://www.zerodayinitiative.com/advisories/ZDI-10-231

November 7, 2010

-- CVSS:
6.4, (AV:N/AC:L/Au:N/C:P/I:P/A:N)

-- Affected Vendors:
Juniper

-- Affected Products:
Juniper Secure Access Series

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 10605.
For further product information on the TippingPoint IPS, visit:

    http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Juniper SA Series devices. Authentication is
not required to exploit this vulnerability.

The specific flaw exists within the meeting_testjava.cgi page which is
used to test JVM compatibility. When handling the DSID HTTP header the
code allows an attacker to inject arbitrary javascript into the page.
This can be abused by an attacker to perform a cross-site scripting
attack on the device.

-- Vendor Response:
Juniper states:
Development has confirmed that the fix to this issue will be available
in IVE OS versions 6.5r7 and 7.0r3.  Both IVE OS 6.5r7 and 7.0r3 are
planned to be available to customers in early November 2010.

Customers can sign up for proactive alerts of IVE OS software releases
by visiting the Juniper Networks Support Center and selecting "Subscribe
to Email Alerts" under Technical Bulletins.

-- Disclosure Timeline:
2010-10-15 - Vulnerability reported to vendor
2010-11-07 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
    * Davy Douhine

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

    http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

    http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

    http://twitter.com/thezdi



--_000_EE499D69B3D0714590B6FE9762B0461104BF3274C1emb01unityloc_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV=3D"Content-Type" CONTENT=
=3D"text/html; charset=3Dus-ascii"><meta name=3DGenerator content=3D"Micros=
oft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-family:"Calibri","sans-serif";}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DEN-US link=3Dblue vli=
nk=3Dpurple><div class=3DWordSection1><p class=3DMsoNormal style=3D'text-au=
tospace:none'><span style=3D'font-family:"Courier New"'>ZDI-10-231: Juniper=
 Secure Access Series meeting_testjava.cgi XSS Vulnerability<o:p></o:p></sp=
an></p><p class=3DMsoNormal style=3D'text-autospace:none'><span style=3D'fo=
nt-family:"Courier New"'><o:p>&nbsp;</o:p></span></p><p class=3DMsoNormal s=
tyle=3D'text-autospace:none'><span style=3D'font-family:"Courier New"'>http=
://www.zerodayinitiative.com/advisories/ZDI-10-231<o:p></o:p></span></p><p =
class=3DMsoNormal style=3D'text-autospace:none'><span style=3D'font-family:=
"Courier New"'><o:p>&nbsp;</o:p></span></p><p class=3DMsoNormal style=3D'te=
xt-autospace:none'><span style=3D'font-family:"Courier New"'>November 7, 20=
10<o:p></o:p></span></p><p class=3DMsoNormal style=3D'text-autospace:none'>=
<span style=3D'font-family:"Courier New"'><o:p>&nbsp;</o:p></span></p><p cl=
ass=3DMsoNormal style=3D'text-autospace:none'><span style=3D'font-family:"C=
ourier New"'>-- CVSS:<o:p></o:p></span></p><p class=3DMsoNormal style=3D'te=
xt-autospace:none'><span style=3D'font-family:"Courier New"'>6.4, (AV:N/AC:=
L/Au:N/C:P/I:P/A:N)<o:p></o:p></span></p><p class=3DMsoNormal style=3D'text=
-autospace:none'><span style=3D'font-family:"Courier New"'><o:p>&nbsp;</o:p=
></span></p><p class=3DMsoNormal style=3D'text-autospace:none'><span style=
=3D'font-family:"Courier New"'>-- Affected Vendors:<o:p></o:p></span></p><p=
 class=3DMsoNormal style=3D'text-autospace:none'><span style=3D'font-family=
:"Courier New"'>Juniper<o:p></o:p></span></p><p class=3DMsoNormal style=3D'=
text-autospace:none'><span style=3D'font-family:"Courier New"'><o:p>&nbsp;<=
/o:p></span></p><p class=3DMsoNormal style=3D'text-autospace:none'><span st=
yle=3D'font-family:"Courier New"'>-- Affected Products:<o:p></o:p></span></=
p><p class=3DMsoNormal style=3D'text-autospace:none'><span style=3D'font-fa=
mily:"Courier New"'>Juniper Secure Access Series<o:p></o:p></span></p><p cl=
ass=3DMsoNormal style=3D'text-autospace:none'><span style=3D'font-family:"C=
ourier New"'><o:p>&nbsp;</o:p></span></p><p class=3DMsoNormal style=3D'text=
-autospace:none'><span style=3D'font-family:"Courier New"'>-- TippingPoint(=
TM) IPS Customer Protection:<o:p></o:p></span></p><p class=3DMsoNormal styl=
e=3D'text-autospace:none'><span style=3D'font-family:"Courier New"'>Tipping=
Point IPS customers have been protected against this<o:p></o:p></span></p><=
p class=3DMsoNormal style=3D'text-autospace:none'><span style=3D'font-famil=
y:"Courier New"'>vulnerability by Digital Vaccine protection filter ID 1060=
5. <o:p></o:p></span></p><p class=3DMsoNormal style=3D'text-autospace:none'=
><span style=3D'font-family:"Courier New"'>For further product information =
on the TippingPoint IPS, visit:<o:p></o:p></span></p><p class=3DMsoNormal s=
tyle=3D'text-autospace:none'><span style=3D'font-family:"Courier New"'><o:p=
>&nbsp;</o:p></span></p><p class=3DMsoNormal style=3D'text-autospace:none'>=
<span style=3D'font-family:"Courier New"'>&nbsp;&nbsp;&nbsp; http://www.tip=
pingpoint.com<o:p></o:p></span></p><p class=3DMsoNormal style=3D'text-autos=
pace:none'><span style=3D'font-family:"Courier New"'><o:p>&nbsp;</o:p></spa=
n></p><p class=3DMsoNormal style=3D'text-autospace:none'><span style=3D'fon=
t-family:"Courier New"'>-- Vulnerability Details:<o:p></o:p></span></p><p c=
lass=3DMsoNormal style=3D'text-autospace:none'><span style=3D'font-family:"=
Courier New"'>This vulnerability allows remote attackers to execute arbitra=
ry code on<o:p></o:p></span></p><p class=3DMsoNormal style=3D'text-autospac=
e:none'><span style=3D'font-family:"Courier New"'>vulnerable installations =
of Juniper SA Series devices. Authentication is<o:p></o:p></span></p><p cla=
ss=3DMsoNormal style=3D'text-autospace:none'><span style=3D'font-family:"Co=
urier New"'>not required to exploit this vulnerability. <o:p></o:p></span><=
/p><p class=3DMsoNormal style=3D'text-autospace:none'><span style=3D'font-f=
amily:"Courier New"'><o:p>&nbsp;</o:p></span></p><p class=3DMsoNormal style=
=3D'text-autospace:none'><span style=3D'font-family:"Courier New"'>The spec=
ific flaw exists within the meeting_testjava.cgi page which is<o:p></o:p></=
span></p><p class=3DMsoNormal style=3D'text-autospace:none'><span style=3D'=
font-family:"Courier New"'>used to test JVM compatibility. When handling th=
e DSID HTTP header the<o:p></o:p></span></p><p class=3DMsoNormal style=3D't=
ext-autospace:none'><span style=3D'font-family:"Courier New"'>code allows a=
n attacker to inject arbitrary javascript into the page.<o:p></o:p></span><=
/p><p class=3DMsoNormal style=3D'text-autospace:none'><span style=3D'font-f=
amily:"Courier New"'>This can be abused by an attacker to perform a cross-s=
ite scripting<o:p></o:p></span></p><p class=3DMsoNormal style=3D'text-autos=
pace:none'><span style=3D'font-family:"Courier New"'>attack on the device.<=
o:p></o:p></span></p><p class=3DMsoNormal style=3D'text-autospace:none'><sp=
an style=3D'font-family:"Courier New"'><o:p>&nbsp;</o:p></span></p><p class=
=3DMsoNormal style=3D'text-autospace:none'><span style=3D'font-family:"Cour=
ier New"'>-- Vendor Response:<o:p></o:p></span></p><p class=3DMsoNormal sty=
le=3D'text-autospace:none'><span style=3D'font-family:"Courier New"'>Junipe=
r states:<o:p></o:p></span></p><p class=3DMsoNormal style=3D'text-autospace=
:none'><span style=3D'font-family:"Courier New"'>Development has confirmed =
that the fix to this issue will be available<o:p></o:p></span></p><p class=
=3DMsoNormal style=3D'text-autospace:none'><span style=3D'font-family:"Cour=
ier New"'>in IVE OS versions 6.5r7 and 7.0r3.&nbsp; Both IVE OS 6.5r7 and 7=
.0r3 are<o:p></o:p></span></p><p class=3DMsoNormal style=3D'text-autospace:=
none'><span style=3D'font-family:"Courier New"'>planned to be available to =
customers in early November 2010.<o:p></o:p></span></p><p class=3DMsoNormal=
 style=3D'text-autospace:none'><span style=3D'font-family:"Courier New"'><o=
:p>&nbsp;</o:p></span></p><p class=3DMsoNormal style=3D'text-autospace:none=
'><span style=3D'font-family:"Courier New"'>Customers can sign up for proac=
tive alerts of IVE OS software releases<o:p></o:p></span></p><p class=3DMso=
Normal style=3D'text-autospace:none'><span style=3D'font-family:"Courier Ne=
w"'>by visiting the Juniper Networks Support Center and selecting &quot;Sub=
scribe<o:p></o:p></span></p><p class=3DMsoNormal style=3D'text-autospace:no=
ne'><span style=3D'font-family:"Courier New"'>to Email Alerts&quot; under T=
echnical Bulletins.<o:p></o:p></span></p><p class=3DMsoNormal style=3D'text=
-autospace:none'><span style=3D'font-family:"Courier New"'><o:p>&nbsp;</o:p=
></span></p><p class=3DMsoNormal style=3D'text-autospace:none'><span style=
=3D'font-family:"Courier New"'>-- Disclosure Timeline:<o:p></o:p></span></p=
><p class=3DMsoNormal style=3D'text-autospace:none'><span style=3D'font-fam=
ily:"Courier New"'>2010-10-15 - Vulnerability reported to vendor<o:p></o:p>=
</span></p><p class=3DMsoNormal style=3D'text-autospace:none'><span style=
=3D'font-family:"Courier New"'>2010-11-07 - Coordinated public release of a=
dvisory<o:p></o:p></span></p><p class=3DMsoNormal style=3D'text-autospace:n=
one'><span style=3D'font-family:"Courier New"'><o:p>&nbsp;</o:p></span></p>=
<p class=3DMsoNormal style=3D'text-autospace:none'><span style=3D'font-fami=
ly:"Courier New"'>-- Credit:<o:p></o:p></span></p><p class=3DMsoNormal styl=
e=3D'text-autospace:none'><span style=3D'font-family:"Courier New"'>This vu=
lnerability was discovered by:<o:p></o:p></span></p><p class=3DMsoNormal st=
yle=3D'text-autospace:none'><span style=3D'font-family:"Courier New"'>&nbsp=
;&nbsp;&nbsp; * Davy Douhine<o:p></o:p></span></p><p class=3DMsoNormal styl=
e=3D'text-autospace:none'><span style=3D'font-family:"Courier New"'><o:p>&n=
bsp;</o:p></span></p><p class=3DMsoNormal style=3D'text-autospace:none'><sp=
an style=3D'font-family:"Courier New"'>-- About the Zero Day Initiative (ZD=
I):<o:p></o:p></span></p><p class=3DMsoNormal style=3D'text-autospace:none'=
><span style=3D'font-family:"Courier New"'>Established by TippingPoint, The=
 Zero Day Initiative (ZDI) represents <o:p></o:p></span></p><p class=3DMsoN=
ormal style=3D'text-autospace:none'><span style=3D'font-family:"Courier New=
"'>a best-of-breed model for rewarding security researchers for responsibly=
<o:p></o:p></span></p><p class=3DMsoNormal style=3D'text-autospace:none'><s=
pan style=3D'font-family:"Courier New"'>disclosing discovered vulnerabiliti=
es.<o:p></o:p></span></p><p class=3DMsoNormal style=3D'text-autospace:none'=
><span style=3D'font-family:"Courier New"'><o:p>&nbsp;</o:p></span></p><p c=
lass=3DMsoNormal style=3D'text-autospace:none'><span style=3D'font-family:"=
Courier New"'>Researchers interested in getting paid for their security res=
earch<o:p></o:p></span></p><p class=3DMsoNormal style=3D'text-autospace:non=
e'><span style=3D'font-family:"Courier New"'>through the ZDI can find more =
information and sign-up at:<o:p></o:p></span></p><p class=3DMsoNormal style=
=3D'text-autospace:none'><span style=3D'font-family:"Courier New"'><o:p>&nb=
sp;</o:p></span></p><p class=3DMsoNormal style=3D'text-autospace:none'><spa=
n style=3D'font-family:"Courier New"'>&nbsp;&nbsp;&nbsp; http://www.zeroday=
initiative.com<o:p></o:p></span></p><p class=3DMsoNormal style=3D'text-auto=
space:none'><span style=3D'font-family:"Courier New"'><o:p>&nbsp;</o:p></sp=
an></p><p class=3DMsoNormal style=3D'text-autospace:none'><span style=3D'fo=
nt-family:"Courier New"'>The ZDI is unique in how the acquired vulnerabilit=
y information is<o:p></o:p></span></p><p class=3DMsoNormal style=3D'text-au=
tospace:none'><span style=3D'font-family:"Courier New"'>used. TippingPoint =
does not re-sell the vulnerability details or any<o:p></o:p></span></p><p c=
lass=3DMsoNormal style=3D'text-autospace:none'><span style=3D'font-family:"=
Courier New"'>exploit code. Instead, upon notifying the affected product ve=
ndor,<o:p></o:p></span></p><p class=3DMsoNormal style=3D'text-autospace:non=
e'><span style=3D'font-family:"Courier New"'>TippingPoint provides its cust=
omers with zero day protection through<o:p></o:p></span></p><p class=3DMsoN=
ormal style=3D'text-autospace:none'><span style=3D'font-family:"Courier New=
"'>its intrusion prevention technology. Explicit details regarding the<o:p>=
</o:p></span></p><p class=3DMsoNormal style=3D'text-autospace:none'><span s=
tyle=3D'font-family:"Courier New"'>specifics of the vulnerability are not e=
xposed to any parties until<o:p></o:p></span></p><p class=3DMsoNormal style=
=3D'text-autospace:none'><span style=3D'font-family:"Courier New"'>an offic=
ial vendor patch is publicly available. Furthermore, with the<o:p></o:p></s=
pan></p><p class=3DMsoNormal style=3D'text-autospace:none'><span style=3D'f=
ont-family:"Courier New"'>altruistic aim of helping to secure a broader use=
r base, TippingPoint<o:p></o:p></span></p><p class=3DMsoNormal style=3D'tex=
t-autospace:none'><span style=3D'font-family:"Courier New"'>provides this v=
ulnerability information confidentially to security<o:p></o:p></span></p><p=
 class=3DMsoNormal style=3D'text-autospace:none'><span style=3D'font-family=
:"Courier New"'>vendors (including competitors) who have a vulnerability pr=
otection or<o:p></o:p></span></p><p class=3DMsoNormal style=3D'text-autospa=
ce:none'><span style=3D'font-family:"Courier New"'>mitigation product.<o:p>=
</o:p></span></p><p class=3DMsoNormal style=3D'text-autospace:none'><span s=
tyle=3D'font-family:"Courier New"'><o:p>&nbsp;</o:p></span></p><p class=3DM=
soNormal style=3D'text-autospace:none'><span style=3D'font-family:"Courier =
New"'>Our vulnerability disclosure policy is available online at:<o:p></o:p=
></span></p><p class=3DMsoNormal style=3D'text-autospace:none'><span style=
=3D'font-family:"Courier New"'><o:p>&nbsp;</o:p></span></p><p class=3DMsoNo=
rmal style=3D'text-autospace:none'><span style=3D'font-family:"Courier New"=
'>&nbsp;&nbsp;&nbsp; http://www.zerodayinitiative.com/advisories/disclosure=
_policy/<o:p></o:p></span></p><p class=3DMsoNormal style=3D'text-autospace:=
none'><span style=3D'font-family:"Courier New"'><o:p>&nbsp;</o:p></span></p=
><p class=3DMsoNormal style=3D'text-autospace:none'><span style=3D'font-fam=
ily:"Courier New"'>Follow the ZDI on Twitter:<o:p></o:p></span></p><p class=
=3DMsoNormal style=3D'text-autospace:none'><span style=3D'font-family:"Cour=
ier New"'><o:p>&nbsp;</o:p></span></p><p class=3DMsoNormal style=3D'text-au=
tospace:none'><span style=3D'font-family:"Courier New"'>&nbsp;&nbsp;&nbsp; =
http://twitter.com/thezdi<o:p></o:p></span></p><p class=3DMsoNormal style=
=3D'text-autospace:none'><span style=3D'font-family:"Courier New"'><o:p>&nb=
sp;</o:p></span></p><p class=3DMsoNormal><o:p>&nbsp;</o:p></p></div></body>=
</html>=

--_000_EE499D69B3D0714590B6FE9762B0461104BF3274C1emb01unityloc_--


--===============0470501750==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============0470501750==--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC