Julien Ahrens

Vulnerability Intel | ROP Gadget Hunter | Privacy Enthusiast | Full-time BugBounty hunter | @Hacker0x01 MVH | @SynackRedTeam member | on a world-trip

CVE-2013-5702: Watchguard Server Center v11.7.4 Multiple XSS Vulnerabilities

21 Oct 2013 » Advisory, Exploit

Great news from the vulnerability front! I’m happy to see that the quality of vulnerability coordination with Watchguard evolved to my satisfaction during the past few months and the following new vulnerability disclosure proves that. Reported –> ACK’ed –> bypassed –> fixed –> Update v 11.8 released, which fixes the XSS issues!

The vulnerabilities are standard Cross-Site Scripting issues resulting in non-persistent context manipulation, session hijacking and finally account-theft.

A typical exploit looks like that:<script>alert(document.cookie)</script>

resulting in:


Two interesting facts:

  1. Looks like the serial number is a possible mitigation factor, which makes it harder for an attacker to exploit the vulnerability. But… No - he does not need to know the serial number! The GET parameter “sn” can contain any random value, but mustn’t be empty.
  2. These XSS issues are authenticated vulnerabilities with the “advantage” (in this case) of not being executed when the victim clicks on the link: if the victim is currently not logged into the Watchguard Server Center, he is redirected to the login page, that carries the payload in another GET parameter “from_page”:

and after the successful login, the script code is rexecuted - leading to session_id theft.

The official Full-Disclosure post can be found here and the official Watchguard statement can be found here.