Astaro Security Gateway ‘Comment (optional)’ 跨站脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1172560 漏洞类型 跨站脚本
发布时间 2012-06-12 更新时间 2012-06-12
CVE编号 CVE-2012-3238 CNNVD-ID CNNVD-201206-302
漏洞平台 N/A CVSS评分 4.3
|漏洞来源
https://www.securityfocus.com/bid/53939
https://cxsecurity.com/issue/WLB-2012060119
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201206-302
|漏洞详情
AstaroSecurityGateway中的WebAdmin内的Backup/Restore组件中存在跨站脚本漏洞,该漏洞源于对用户提供的输入在使用动态生成内容之前未经正确的验证。攻击者提供的HTML和脚本代码可在受影响网站上下文中运行,窃取基于cookie的认证证书或控制网站传达给用户的方式。AstaroSecurityGateway8.305之前版本中存在漏洞,其他版本也可能受到影响。
|漏洞EXP
Inshell Security Advisory
http://www.inshell.net/


1. ADVISORY INFORMATION
-----------------------
Product:        Astaro Security Gateway
Vendor URL:     www.astaro.com / www.sophos.com
Type:           Cross-site Scripting [CWE-79]
Date found:     2012-05-11
Date published: 2012-06-10
CVSSv2 Score:   3,5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CVE:            CVE-2012-3238


2. CREDITS
----------
This vulnerability was discovered and researched by Julien Ahrens from
Inshell Security.


3. VERSIONS AFFECTED
--------------------
Astaro Security Gateway v8.304, older versions are affected too.


4. VULNERABILITY DESCRIPTION
----------------------------
A Persistent Cross-Site Scripting Vulnerability has been found on the
Astaro Security Gateway product.

The vulnerability is located in the backup-function of the software:

Vulnerable Module(s):
+Management -> Backup/Restore
 Parameter: "Comment (optional)"

The input field "Comment (optional)" is shown on the "Available backups"
view after successful creation of a new backup and is also included into
the backup-file itself.

Due to improper input - validation of this input field, an attacker
could permanently inject arbitrary code with required user interaction
into the context of the firewall-interface. Successful exploitation of
the vulnerability allows for example cookie theft, session hijacking or
server side context manipulation.


5. PROOF-OF-CONCEPT (CODE / EXPLOIT)
------------------------------------
An attacker needs to force the victim to import an arbitrary
backup-file. The victim does not need to apply the backup, only the
import is required to exploit the vulnerability.

For further information (screenshots, PoCs etc.) visit:
http://security.inshell.net/advisory/27


6. SOLUTION
-----------
Update to v8.305.


7. REPORT TIMELINE
------------------
2012-05-12: Initial notification sent to vendor
2012-05-12: Vendor response
2012-05-12: Vulnerability details reported to vendor
2012-05-15: Vendor acknowledgement
2012-05-31: Vendor releases Update / Fix
2012-06-10: Coordinated public release of advisory


8. REFERENCES
-------------
http://www.astaro.com/en-uk/blog/up2date/8305
http://security.inshell.net
|受影响的产品
Astaro Security Gateway 8.304 Astaro Security Gateway 8.300 Astaro Security Gateway 8.1
|参考资料

来源:www.astaro.com
链接:http://www.astaro.com/en-uk/blog/up2date/8305
来源:security.inshell.net
链接:http://security.inshell.net/advisory/27
来源:FULLDISC
名称:20120610[CVE-2012-3238]AstaroSecurityGateway<=v8.304PersistentCross-SiteScriptingVulnerability
链接:http://archives.neohapsis.com/archives/fulldisclosure/2012-06/0206.html
来源:BID
名称:53939
链接:http://www.securityfocus.com/bid/53939