From: Lachniet, Mark (mlachnietsequoianet.com)
Date: Tue Mar 02 2004 - 08:03:26 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

TITLE: 03-02-04 XSS Bug in NetScreen-SA 5000 Series of SSL VPN
appliance
 
SUMMARY
 
  Cross Site Scripting bug in the 'delhomepage.cgi' CGI binary in the
Netscreen
  NetScreen-SA 5000 Series SSL VPN appliance.
 

DETAILS
 
  There exists a cross-site scripting bug in 'row' parameter of the
  'delhomepage.cgi' CGI binary. This bug was discovered on an appliance

  known as an "A5030-Clustered pair" running firmware version 3.3 Patch
1
  (build 4797). The vulnerability may exist in other versions. This
issue
  may result in the theft of credentials such as session cookies, allow
  hostile client-side scripts to run with unintended access privileges,
or
  provide a means for a "phishing" attack. For more detailed
descriptions
  of Cross Site Scripting and its implications, please refer to
whitepapers
  such as:
 
    http://www.cgisecurity.com/articles/xss-faq.shtml
<http://www.cgisecurity.com/articles/xss-faq.shtml>
    http://www.spidynamics.com/whitepapers/SPIcross-sitescripting.pdf
<http://www.spidynamics.com/whitepapers/SPIcross-sitescripting.pdf>
 
  The 'delhomepage.cgi' is accessible only by authenticated users.
 
 
WORKAROUND
 
  Upgrade to the patched version of IVE software. Contact Netscreen
support
  for details.
 

ORIGINATOR
 
  The issue was discovered by Mark Lachniet of Analysts International
  [lachniet -=at=- analysts.com] during a security analysis of the web
  application interface of the device. Analysts International's
security
  team provides a variety of security services and can be reached at
  [SecurityServices -=at=- analysts.com].
 

MAINTAINER
 
  The maintainer of the Netscreen IVE SSL VPN Appliance is the Netscreen
  Corporation [http://www.netscreen.com]. The following information
about
  security at Netscreen is taken from the Security Center web page at:
 
    http://www.netscreen.com/services/security/index.jsp
<http://www.netscreen.com/services/security/index.jsp>
 
  "Please report any potential or real instances of a security
vulnerability
   (with any NetScreen product or service) to the NetScreen Security
Alert
   Team at securitynetscreen.com <mailto:securitynetscreen.com> . For
immediate assistance, TAC is available
   24 hours a day by calling 1-877-NETSCREEN."
 
VENDOR RESPONSE
 
  In the opinion of the author, the Netscreen corporation responded
quickly and
  efficiently to this issue, and clearly takes the security of their
prodcuts
  seriously. Netscreen should be commended for their prompt and
professional
  handling of the issue.
 
DATE OF CONTACT
 
2/6/2004 - Sent E-Mail to Sriram Ramachandran [SRamachandran -=at=-
netscreen.com]
    and received response. Immediately discussed issue via. conference
call.
    The bug was confirmed by the Netscreen staff.
 
2/7/2004 - Draft advisory sent to Netscreen support staff
 
2/9/2004 - Ongoing dialog with Netscreen on issue
 
2/11/2004 - Ongoing dialog with Netscreen on issue
 
2/18/2004 - Ongoing dialog with Netscreen on issue
 
2/23/2004 - Ongoing dialog with Netscreen on issue
 
2/25/2004 - Advisory updated based on vendor response
 
3/02/2004 - Final advisory released
 
 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]