Cross Site Scripting vulnerability in ProxySG
A remote attacker is able to use script to execute CLI commands on the ProxySG as the administrator.
All versions of ProxySG prior to 6.1 are vulnerable.
ProxySG is vulnerable to reflected (non-persistent) cross site scripting attacks. User provided data is not validated or sanitized prior to including it in the HTML page returned to the user. A remote attacker can exploit this vulnerability to inject script that will execute CLI commands as the administrator. The remote attacker must execute the script within the administrator's browser while the administrator has an active session open with ProxySG. By default, sessions are terminated after 15 minutes of inactivity.
Cross site scripting is often used to steal cookies from a browser. This allows an attacker to impersonate the user on another machine. ProxySG cookies cannot be used on a different machine and therefore are not vulnerable to cookie theft.
Customers can limit the impact of this vulnerablity in these ways:
- Ensure the option to enforce web auto-logout is enabled on ProxySG.
- Manage ProxySG using only the CLI.
- Use the Java Management Console only from dedicated machines that do not connect to any other internal or external websites.
ProxySG 6.1 - a fix is available in 188.8.131.52 or later. The fix is available to customers with a valid BlueTouch Online login from bto.bluecoat.com/download/product/5351
ProxySG 5.5 - a fix is available in 184.108.40.206. The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/41.
ProxySG 5.4 - a fix is available in 220.127.116.11. The fix is available to customers with a valid BlueTouch Online login from bto.bluecoat.com/download/product/17.
ProxySG 5.3 - please upgrade to a later release.
ProxySG 4.3 - a fix is available in SGOS 18.104.22.168. The fix is available to customers with a valid BlueTouch online login from https://bto.bluecoat.com/download/product/13.
For information on how to upgrade SGOS, please see KB3608. If you do not have a BlueTouch Online login, please search the knowledge base for "bto login".
The vulnerability was discovered and reported by Patrick Fleming at FishNet Security.
2012-01-17 Notification that no fix will be provided for 5.3. Changed status to final.
2011-02-17 Notification of fix in SGOS 22.214.171.124. Updated SGOS 5.5 fix information to show the issue is resolved in SGOS 126.96.36.199 GA release and the accompanying link was also updated. Updated SGOS 5.3 fix information to suggest upgrading to a newer version of SGOS to get the fix. Added link to KB3608 on how to upgrade SGOS.
2010-11-01 Notification of fix in 188.8.131.52 patch release.
2010-10-28 Credited Patrick Fleming for discovering and reporting the vulnerability.
2010-10-27 Notification of ProxySG version 184.108.40.206 patch release being promoted to GA release.
2010-10-15 Notificaiton of fix in 220.127.116.11 patch release.
2010-10-12 Added additional details and another workaround.
2010-10-07 Added a workaround.
2010-10-01 Initial public release.