[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] RE: MIMESweeper For Web 5.X Cross Site Scripting
From:       "Erez Metula" <erezmetula () 2bsecure ! co ! il>
Date:       2006-07-10 12:52:50
Message-ID: C9B2DD4DEDB9214A84BB2937ACE45B6D1F43E7 () server05 ! 2bsecure ! co ! il
[Download RAW message or body]



MIMESweeper For Web 5.X Cross Site Scripting


I. INTRODUCTION

MIMESweeper For Web is a policy-based content security for web applications. It \
analyzes web content and blocks pages or files that are prohibited by the \
organizational security policy.

For more Information please refer to:
http://www.clearswift.com/products/msw/msw_web/default.aspx


II. DESCRIPTION

A XSS vulnerability was discovered by Erez Metula. When accessing a URL which is not \
permitted the user is redirected to an "access denied" page that is vulnerable to \
XSS. The page does not input validate / HTML Encode the input and displays the data \
"as is".

Usually this means that it enables an attacker to inject HTML or Javascript code into \
users's browsers, and by that bypassing the browser DOM restrictions. This javascript \
code can perform actions on behalf of the user, steal authentication cookies, change \
the appearance of web pages, perform phishing ,and generally can do everything to the \
original page.  

III. EXPLOITATION

The vulnerability can be exploited by just redirecting the client to some URL that is \
restricted by MIMESweeper policy and adding the script at the end of the URL.

Example PoC:
http://SomeBlackListedSite/<script>PAYLOAD</script>

 
IV. IMPACT

Using the MIMESweeper capabilities of a central gateway to spread malicious scripts \
to users. An example attack scenario could be that an attacker will redirect many \
users (by email, posting in the organization portal, etc.) to some blocked URL and an \
accompanying script that will steal their authentication cookies.

V. DETECTION

Detection of this vulnerability involves injecting some HTML tags / scripts to a \
blocked URL that will be responded by the MIMESweeper with the vulnerable page.

VI. WORKAROUND

Clearswift released a patch for this vulnerability, following the initial contact \
&notification. The patch can be obtained from:
http://www.clearswift.com/support/msw/patch_MswWeb.aspx
termed as "MIMEsweeper for Web 5.1.15 Hotfix"


VII. VENDOR RESPONSE

Clearswift has been informed on the 27/6/06 by e-mail to their support.
Clearswift released a fixed version of the software.


VIII. DISCLOSURE TIMELINE

27/06/06            Identification of the flaw
27/06/06            Reporting the flaw to clearswift by email
27/06/06            Response from clearswift, asking for more description
27/06/06            Providing the full description to clearswift
28/06/06            Clearswift acknowledge of the vulnerability
06/07/06            Patch released by clearswift
09/07/06            Public advisory


IX. CREDITS

The vulnerability was discovered by Erez Metula.

Erez Metula, CISSP    
Application Security Department Manager
Security Software Engineer
E-Mail:  erezmetula@2bsecure.co.il



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic