TITLE: 03-02-04 XSS Bug in NetScreen-SA 5000
Series of SSL VPN appliance
SUMMARY
Cross Site Scripting bug in the
'delhomepage.cgi' CGI binary in the
Netscreen
NetScreen-SA 5000 Series SSL VPN appliance.
NetScreen-SA 5000 Series SSL VPN appliance.
DETAILS
There exists a cross-site scripting bug in
'row' parameter of the
'delhomepage.cgi' CGI binary. This bug was discovered on an appliance
known as an "A5030-Clustered pair" running firmware version 3.3 Patch 1
(build 4797). The vulnerability may exist in other versions. This issue
may result in the theft of credentials such as session cookies, allow
hostile client-side scripts to run with unintended access privileges, or
provide a means for a "phishing" attack. For more detailed descriptions
of Cross Site Scripting and its implications, please refer to whitepapers
such as:
'delhomepage.cgi' CGI binary. This bug was discovered on an appliance
known as an "A5030-Clustered pair" running firmware version 3.3 Patch 1
(build 4797). The vulnerability may exist in other versions. This issue
may result in the theft of credentials such as session cookies, allow
hostile client-side scripts to run with unintended access privileges, or
provide a means for a "phishing" attack. For more detailed descriptions
of Cross Site Scripting and its implications, please refer to whitepapers
such as:
http://www.cgisecurity.com/articles/xss-faq.shtml
http://www.spidynamics.com/whitepapers/SPIcross-sitescripting.pdf
http://www.spidynamics.com/whitepapers/SPIcross-sitescripting.pdf
The ‘delhomepage.cgi’ is accessible
only by authenticated users.
WORKAROUND
Upgrade to the patched version of IVE
software. Contact Netscreen support
for details.
for details.
ORIGINATOR
The issue was discovered by Mark Lachniet of
Analysts International
[lachniet -=at=- analysts.com] during a security analysis of the web
application interface of the device. Analysts International's security
team provides a variety of security services and can be reached at
[SecurityServices -=at=- analysts.com].
[lachniet -=at=- analysts.com] during a security analysis of the web
application interface of the device. Analysts International's security
team provides a variety of security services and can be reached at
[SecurityServices -=at=- analysts.com].
MAINTAINER
The maintainer of the Netscreen IVE SSL VPN
Appliance is the Netscreen
Corporation [http://www.netscreen.com]. The following information about
security at Netscreen is taken from the Security Center web page at:
Corporation [http://www.netscreen.com]. The following information about
security at Netscreen is taken from the Security Center web page at:
"Please report any potential or real
instances of a security vulnerability
(with any NetScreen product or service) to the NetScreen Security Alert
Team at [EMAIL PROTECTED] . For immediate assistance, TAC is available
24 hours a day by calling 1-877-NETSCREEN."
(with any NetScreen product or service) to the NetScreen Security Alert
Team at [EMAIL PROTECTED] . For immediate assistance, TAC is available
24 hours a day by calling 1-877-NETSCREEN."
VENDOR RESPONSE
In the opinion of the author, the Netscreen
corporation responded quickly and
efficiently to this issue, and clearly takes the security of their prodcuts
seriously. Netscreen should be commended for their prompt and professional
handling of the issue.
efficiently to this issue, and clearly takes the security of their prodcuts
seriously. Netscreen should be commended for their prompt and professional
handling of the issue.
DATE OF CONTACT
2/6/2004 - Sent E-Mail to Sriram Ramachandran
[SRamachandran -=at=- netscreen.com]
and received response. Immediately discussed issue via. conference call.
The bug was confirmed by the Netscreen staff.
and received response. Immediately discussed issue via. conference call.
The bug was confirmed by the Netscreen staff.
2/7/2004 - Draft advisory sent to Netscreen
support staff
2/9/2004 - Ongoing dialog with Netscreen on
issue
2/11/2004 - Ongoing dialog with Netscreen on
issue
2/18/2004 - Ongoing dialog with Netscreen on
issue
2/23/2004 - Ongoing dialog with Netscreen on
issue
2/25/2004 - Advisory updated based on vendor
response
3/02/2004 - Final advisory released