Security Advisories

September 15, 2011 - Director Cross Site Scripting vulnerability

Security Advisories ID:    SA62
Version:    2.0
Status:    Published
Published date:    09/08/2011
Updated:    01/17/2012
 

Advisory Status

Interim

Advisory Severity

Low, CVSS v2 base score 3.3 (AV:A/AC:L/Au:N/C:N/I:P/A:N)

CVE Number

No CVEs are associated with this vulnerability.

Summary

An attacker can use the HTTP TRACE method to echo malicious script back to the client as part of a Cross Site Scripting (XSS) attack.  No authentication is required.

Affected Products

All versions of Director prior to 5.5.2.3 are vulnerable.

Details

Director is vulnerable to reflected (non-persistent) cross site scripting attacks.  User provided data is not validated or sanitized prior to returning it in response to an HTTP TRACE method issued from the client. 

The attacker cannot use this vulnerability to steal the administrator's cookies and impersonate the administrator on another machine.  The attacker can use this vulnerability to execute malicious script on the client machine.

Workarounds

Customers can limit the impact of this vulnerability by managing Director only from dedicated machines that do not connect to any other internal or external websites.

Patches

Director 5.5 - an interim fix is available in 5.5.2.3.  The fix is available to customers with a valid BlueTouch Online login fromThe fix is available to customers with a valid BlueTouch Online login from bto.bluecoat.com/download/patch/90138905913689859042842687478968.

Director 5.4 and earlier - please upgrade to a later release.

References

Advisory History

2011-09-15 Initial public release


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question