[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] RE: MIMESweeper For Web 5.X Cross Site Scripting
From: "Erez Metula" <erezmetula () 2bsecure ! co ! il>
Date: 2006-07-10 12:52:50
Message-ID: C9B2DD4DEDB9214A84BB2937ACE45B6D1F43E7 () server05 ! 2bsecure ! co ! il
[Download RAW message or body]
MIMESweeper For Web 5.X Cross Site Scripting
I. INTRODUCTION
MIMESweeper For Web is a policy-based content security for web applications. It \
analyzes web content and blocks pages or files that are prohibited by the \
organizational security policy.
For more Information please refer to:
http://www.clearswift.com/products/msw/msw_web/default.aspx
II. DESCRIPTION
A XSS vulnerability was discovered by Erez Metula. When accessing a URL which is not \
permitted the user is redirected to an "access denied" page that is vulnerable to \
XSS. The page does not input validate / HTML Encode the input and displays the data \
"as is".
Usually this means that it enables an attacker to inject HTML or Javascript code into \
users's browsers, and by that bypassing the browser DOM restrictions. This javascript \
code can perform actions on behalf of the user, steal authentication cookies, change \
the appearance of web pages, perform phishing ,and generally can do everything to the \
original page.
III. EXPLOITATION
The vulnerability can be exploited by just redirecting the client to some URL that is \
restricted by MIMESweeper policy and adding the script at the end of the URL.
Example PoC:
http://SomeBlackListedSite/<script>PAYLOAD</script>
IV. IMPACT
Using the MIMESweeper capabilities of a central gateway to spread malicious scripts \
to users. An example attack scenario could be that an attacker will redirect many \
users (by email, posting in the organization portal, etc.) to some blocked URL and an \
accompanying script that will steal their authentication cookies.
V. DETECTION
Detection of this vulnerability involves injecting some HTML tags / scripts to a \
blocked URL that will be responded by the MIMESweeper with the vulnerable page.
VI. WORKAROUND
Clearswift released a patch for this vulnerability, following the initial contact \
¬ification. The patch can be obtained from:
http://www.clearswift.com/support/msw/patch_MswWeb.aspx
termed as "MIMEsweeper for Web 5.1.15 Hotfix"
VII. VENDOR RESPONSE
Clearswift has been informed on the 27/6/06 by e-mail to their support.
Clearswift released a fixed version of the software.
VIII. DISCLOSURE TIMELINE
27/06/06 Identification of the flaw
27/06/06 Reporting the flaw to clearswift by email
27/06/06 Response from clearswift, asking for more description
27/06/06 Providing the full description to clearswift
28/06/06 Clearswift acknowledge of the vulnerability
06/07/06 Patch released by clearswift
09/07/06 Public advisory
IX. CREDITS
The vulnerability was discovered by Erez Metula.
Erez Metula, CISSP
Application Security Department Manager
Security Software Engineer
E-Mail: erezmetula@2bsecure.co.il
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic