Cross Site Scripting and Cross Site Request Forgery vulnerabilities in Reporter
A remote attacker can use URL links and/or malicious scripts to execute Reporter commands if the administrator has an active session in the Reporter management console.
All versions of Reporter prior to 9.4 are vulnerable. Windows, Linux, and Virtual Appliance versions are all vulnerable.
Reporter is vulnerable to reflected (non-persistent) cross site scripting (XSS) attacks. User provided data is not validated or sanitized prior to returning it in response to methods issued from the client. The CVSS score for the cross site scripting vulnerability is 2.3 (AV:A/AC:M/Au:S/C:N/I:P/A:N).
Reporter is also vulnerable to cross site request forgery (CSRF) through a variety of mechanisms. An attacker who lures a Reporter administrator to browse a malicious website can use cross site request forgery (CSRF) to submit commands to Reporter and gain control of the product. Commands that the attacker can submit include changing the password, changing the policy, and restarting the product. The CVSS score for the CSRF vulnerability is 7.9 (AV:A/AC:M/Au:N/C:C/I:C/A:C).
Customers can limit the impact of this vulnerability in these ways:
- Access Reporter using a dedicated machine that does not connect to any other internal or external websites.
- Update your browser regularly to take advantage of browser based protections.
- Always log out and close the browser window when management tasks have been completed.
Reporter 9.3 – a fix is available in 188.8.131.52 for Windows, Linux and Virtual Reporter versions. The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/8793.
Reporter 9.2 and earlier – please upgrade to a later version.
Reporter 8.3 and earlier – please upgrade to a later version.
OWASP information about XSS – www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
OWASP information about CSRF – https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
Web Application Security Consortium on CSRF – http://projects.webappsec.org/w/page/13246919/Cross%20Site%20Request%20F...
2012-12-12 Initial public release