Cross Site Scripting and Cross Site Request Forgery vulnerabilities in Reporter

Back to all Security AdvisoriesSubscribe
Security Advisories ID: 
SA72
Published Date: 
December 12, 2012
Advisory Status: 
Final
Advisory Severity: 
High
CVE Number: 
No CVE has been assigned at this time.

A remote attacker can use URL links and/or malicious scripts to execute Reporter commands if the administrator has an active session in the Reporter management console.

Affected Products: 

All versions of Reporter prior to 9.4 are vulnerable. Windows, Linux, and Virtual Appliance versions are all vulnerable.

Advisory Details: 

Reporter is vulnerable to reflected (non-persistent) cross site scripting (XSS) attacks. User provided data is not validated or sanitized prior to returning it in response to methods issued from the client. The CVSS score for the cross site scripting vulnerability is 2.3 (AV:A/AC:M/Au:S/C:N/I:P/A:N).

Reporter is also vulnerable to cross site request forgery (CSRF) through a variety of mechanisms. An attacker who lures a Reporter administrator to browse a malicious website can use cross site request forgery (CSRF) to submit commands to Reporter and gain control of the product. Commands that the attacker can submit include changing the password, changing the policy, and restarting the product.  The CVSS score for the CSRF vulnerability is 7.9 (AV:A/AC:M/Au:N/C:C/I:C/A:C).

Workarounds: 

Customers can limit the impact of this vulnerability in these ways:

  • Access Reporter using a dedicated machine that does not connect to any other internal or external websites.
  • Update your browser regularly to take advantage of browser based protections.
  • Always log out and close the browser window when management tasks have been completed.
Patches: 

Reporter 9.3 – a fix is available in 9.3.3.2 for Windows, Linux and Virtual Reporter versions. The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/8793.

Reporter 9.2 and earlier – please upgrade to a later version.
 
Reporter 8.3 and earlier – please upgrade to a later version.

Advisory History: 

2012-12-12 Initial public release