Cross Site Scripting vulnerability in ProxySG

Back to all Security AdvisoriesFollow
Security Advisories ID: 
SA47
Published Date: 
October 1, 2010
Advisory Status: 
Final
Advisory Severity: 
High
CVSS v2 base score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVE Number: 
No CVEs are associated with this vulnerability.

A remote attacker is able to use script to execute CLI commands on the ProxySG as the administrator.

Affected Products: 

All versions of ProxySG prior to 6.1 are vulnerable.

Advisory Details: 

ProxySG is vulnerable to reflected (non-persistent) cross site scripting attacks.  User provided data is not validated or sanitized prior to including it in the HTML page returned to the user.  A remote attacker can exploit this vulnerability to inject script that will execute CLI commands as the administrator.  The remote attacker must execute the script within the administrator's browser while the administrator has an active session open with ProxySG.  By default, sessions are terminated after 15 minutes of inactivity.

Cross site scripting is often used to steal cookies from a browser.  This allows an attacker to impersonate the user on another machine.  ProxySG cookies cannot be used on a different machine and therefore are not vulnerable to cookie theft.

Workarounds: 

Customers can limit the impact of this vulnerablity in these ways:

  • Ensure the option to enforce web auto-logout is enabled on ProxySG.
  • Manage ProxySG using only the CLI.
  • Use the Java Management Console only from dedicated machines that do not connect to any other internal or external websites.
Patches: 

ProxySG 6.1 - a fix is available in 6.1.1.1 or later. The fix is available to customers with a valid BlueTouch Online login from bto.bluecoat.com/download/product/5351

ProxySG 5.5 - a fix is available in 5.5.4.1.  The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/41.

ProxySG 5.4 - a fix is available in 5.4.5.1.  The fix is available to customers with a valid BlueTouch Online login from bto.bluecoat.com/download/product/17.

ProxySG 5.3 - please upgrade to a later release.

ProxySG 4.3 - a fix is available in SGOS 4.3.4.1.  The fix is available to customers with a valid BlueTouch online login from https://bto.bluecoat.com/download/product/13.

For information on how to upgrade SGOS, please see KB3608.  If you do not have a BlueTouch Online login, please search the knowledge base for "bto login".

References: 

The vulnerability was discovered and reported by Patrick Fleming at FishNet Security.

Advisory History: 

2012-01-17 Notification that no fix will be provided for 5.3.  Changed status to final.
2011-02-17  Notification of fix in SGOS 4.3.4.1.  Updated SGOS 5.5 fix information to show the issue is resolved in SGOS 5.5.4.1 GA release and the accompanying link was also updated.  Updated SGOS 5.3 fix information to suggest upgrading to a newer version of SGOS to get the fix.  Added link to KB3608 on how to upgrade SGOS.
2010-11-01 Notification of fix in 5.5.3.5 patch release.
2010-10-28 Credited Patrick Fleming for discovering and reporting the vulnerability.
2010-10-27 Notification of ProxySG version 5.4.5.1 patch release being promoted to GA release.
2010-10-15 Notificaiton of fix in 5.4.5.1 patch release.
2010-10-12 Added additional details and another workaround.
2010-10-07 Added a workaround.
2010-10-01 Initial public release.

Feedback