All; We now have a fix available for all platforms of version 5.01 also. Please update the entry below to include fixes for 5.1 and 5.01. All Websense customers can receive the fix free of charge through our technical support department. Thanks -----Original Message----- From: Mr. P.Taylor [mailto:petert@imagine-sw.com] Sent: Wednesday, December 03, 2003 8:36 AM To: Hubbard, Dan Cc: aleph1@securityfocus.com; bugtraq@securityfocus.com Subject: Websense Blocked Sites XSS Websense Blocked Sites XSS Risk: High Product: Websense Enterprise v4.3.0 - v5.1 (Maybe others we only tested this version) Product URL: http://www.websense.com Found By: PeterT - petert@imagine-sw.com Problem: When Websense blocks a web site, it returns a web page to the browser stating that the site has been blocked. This error message contains the URL which was requested. Websense does not do any validation or encoding of the URL before returning it in the error message. This allows an attacker to supply a URL that contains script <JavaScript, ActiveX, VB). This script will run in the context of a server in the trusted domain and combined with other IE flaws can have serious consequences. We have marked this as a High risk because we believe that allowing attackers to run arbitrary programs on your desktop at will, is a serious problem. Proof of Concept: A URL like http://BlockedSite?<SCRIPT>alert('hello')</SCRIPT> will run script. Resolution: The vendor has come out with a patch. Notified on Nov 29, 2003. Thanks to Websense for fixing this issue. Disclaimer: Standard disclaimer applies. The opinions expressed in this advisory are our own and not of any company. The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
