Astaro Security Gateway <= v8.304 Persistent Cross-Site Scripting Vulnerability
Jun 10, 2012 · By Julien Ahrens
ADVISORY INFORMATION
- Product: Astaro Security Gateway.
- Vendor URL: https://www.astaro.com
- Type: Cross-site Scripting [CWE-79]
- Date found: 2012-05-11
- Date published: 2012-06-10
- CVSSv2 Score: 3,5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
- CVE: CVE-2012-3238
CREDITS
This vulnerability was discovered and researched by Julien Ahrens from Inshell Security.
VERSIONS AFFECTED
Astaro Security Gateway v8.304, older versions are affected too.
VULNERABILITY DETAILS
A Persistent Cross-Site Scripting Vulnerability has been found on the Astaro Security Gateway product.
The vulnerability is located in the backup-function of the software:
Vulnerable Module(s):
- Management -> Backup/Restore
Parameter: “Comment (optional)”
The input field “Comment (optional)” is shown on the “Available backups” view after successful creation of a new backup and is also included into the backup-file itself.
Due to improper input - validation of this input field, an attacker could permanently inject arbitrary code with required user interaction into the context of the firewall-interface. Successful exploitation of the vulnerability allows for example cookie theft, session hijacking or server side context manipulation.
PROOF OF CONCEPT
An attacker needs to force the victim to import an arbitrary backup-file. The victim does not need to apply the backup, only the import is required to exploit the vulnerability.
SOLUTION
Update to v8.305.
REPORT TIMELINE
- 2012-05-12: Initial notification sent to vendor
- 2012-05-12: Vendor response
- 2012-05-12: Vulnerability details reported to vendor
- 2012-05-15: Vendor acknowledgement
- 2012-05-31: Vendor releases Update / Fix
- 2012-06-10: Coordinated public release of advisory