Bugtraq mailing list archives
RE: Websense Blocked Sites XSS
From: "Mr. P.Taylor" <petert () imagine-sw com>
Date: Fri, 5 Dec 2003 16:52:54 -0500
Greg, Actually that parameter is $*WS_URL*$ within the "block.html" page/frame refered to by the "master.html" page. But that's besides the point that no content filtering is being performed. I'm hoping my responses to 3APA3A's queries have been posted by now as many ppl run the software configured per the DIRECTIONS in the MANUAL, which will allow the software to be used as one of the stepping stones in compromising an internal users system. Peter Taylor CSO Imagine Software Inc. "There is a principle which is a bar against all information, which is proof against all arguments and which cannot fail to keep a man in everlasting ignorance - that principle is contempt prior to investigation." Herbert Spencer
-----Original Message----- From: Greg Meehan [mailto:GMeehan () LifeTimeFitness com] Sent: Friday, December 05, 2003 3:05 PM To: 3APA3A; Mr. P.Taylor Cc: aleph1 () securityfocus com; bugtraq () securityfocus com Subject: RE: Websense Blocked Sites XSS FYI: You can use a customized block page in /custom that does not display the URL, such as creating a "Sorry, This URL is Blocked" page with your company's logo. Heck, you can also just edit the "master.html" block page in the /default dir to remove the URL displayed field. -Greg -----Original Message----- From: 3APA3A [mailto:3APA3A () SECURITY NNOV RU] Sent: Friday, December 05, 2003 7:09 AM To: Mr. P.Taylor Cc: aleph1 () securityfocus com; bugtraq () securityfocus com Subject: Re: Websense Blocked Sites XSS Dear Mr. P.Taylor, It runs error message in context of blocked site. Now lets try to find out possible impacts: 1. It's possible to run javascript on the user host in context of blocked site. But it's most likely blocked site is not in list of trusted web sites on user's host, so it's impossible to get something different from running same script on another webpage. 2. It possible to steal cookie, submit some forms, etc, on blocked site. But site is blocked. So, it's impossible to steal something or submit something to this site. Conclusion: there is no security impact Post Conclusion: Guys, it's perfect you can find all these XSS/CSS bugs in John Doe's guest books, Read-Doc-from-CDRom servers, etc. But please think about _security_ impact before submitting this to _security_ related lists. --Wednesday, December 3, 2003, 7:35:39 PM, you wrote to dhubbard () websense com: MPT> Websense Blocked Sites XSS MPT> Risk: High MPT> Product: Websense Enterprise v4.3.0 - v5.1 (Maybe others we only MPT> tested this version) MPT> Product URL: http://www.websense.com MPT> Found By: PeterT - petert () imagine-sw com MPT> Problem: MPT> When Websense blocks a web site, it returns a web page to the browser MPT> stating MPT> that the site has been blocked. This error message contains the URL which MPT> was MPT> requested. Websense does not do any validation or encoding of the URL before MPT> returning it in the error message. This allows an attacker to supply a URL MPT> that MPT> contains script <JavaScript, ActiveX, VB). This script will run in the MPT> context MPT> of a server in the trusted domain and combined with other IE flaws can have MPT> serious consequences. MPT> We have marked this as a High risk because we believe that allowing MPT> attackers MPT> to run arbitrary programs on your desktop at will, is a serious problem. MPT> Proof of Concept: MPT> A URL like MPT> http://BlockedSite?<SCRIPT>alert('hello')</SCRIPT> will run script. MPT> Resolution: MPT> The vendor has come out with a patch. Notified on Nov 29, 2003. MPT> Thanks to Websense for fixing this issue. MPT> Disclaimer: MPT> Standard disclaimer applies. The opinions expressed in this advisory are MPT> our own and not of any company. The information within this advisory may MPT> change without notice. Use of this information constitutes acceptance for MPT> use in an AS IS condition. There are no warranties with regard to this MPT> information. In no event shall the author be liable for any damages MPT> whatsoever arising out of or in connection with the use or spread of this MPT> information. Any use of this information is at the user's own risk. -- ~/ZARAZA Èáî ôàêòû åñòü ôàêòû, è èçëîæåíû îíè ëèøü äëÿ òîãî, ÷òîáû èõ ïîíÿëè è â íèõ ïîâåðèëè. (Òâåí)
Current thread:
- Websense Blocked Sites XSS Mr. P.Taylor (Dec 03)
- Re: Websense Blocked Sites XSS 3APA3A (Dec 05)
- RE: Websense Blocked Sites XSS Mr. P.Taylor (Dec 05)
- Re: Websense Blocked Sites XSS Eric "MightyE" Stevens (Dec 08)
- <Possible follow-ups>
- RE: Websense Blocked Sites XSS Greg Meehan (Dec 05)
- RE: Websense Blocked Sites XSS Mr. P.Taylor (Dec 05)
- RE: Websense Blocked Sites XSS Hubbard, Dan (Dec 05)
- Re: Websense Blocked Sites XSS 3APA3A (Dec 05)