Security Advisories

December 12, 2012 – Cross Site Scripting and Cross Site Request Forgery vulnerabilities in Reporter

Security Advisories ID:    SA72
Version:    1.0
Status:    Published
Published date:    12/12/2012
 

Advisory Status

Final

Advisory Severity

High - CVSS v2 base score: 7.9 (AV:A/AC:M/Au:N/C:C/I:C/A:C)

CVE Number

No CVE has been assigned at this time.

Summary

A remote attacker can use URL links and/or malicious scripts to execute Reporter commands if the administrator has an active session in the Reporter management console.

Affected Products

All versions of Reporter prior to 9.4 are vulnerable. Windows, Linux, and Virtual Appliance versions are all vulnerable.

Details

Reporter is vulnerable to reflected (non-persistent) cross site scripting (XSS) attacks. User provided data is not validated or sanitized prior to returning it in response to methods issued from the client. The CVSS score for the cross site scripting vulnerability is 2.3 (AV:A/AC:M/Au:S/C:N/I:P/A:N).

Reporter is also vulnerable to cross site request forgery (CSRF) through a variety of mechanisms. An attacker who lures a Reporter administrator to browse a malicious website can use cross site request forgery (CSRF) to submit commands to Reporter and gain control of the product. Commands that the attacker can submit include changing the password, changing the policy, and restarting the product.  The CVSS score for the CSRF vulnerability is 7.9 (AV:A/AC:M/Au:N/C:C/I:C/A:C).

Reporter has implemented input validation and escaping to provide better protection from XSS attacks.  A per session nonce is now sent by the client as part of each request.

Workarounds

Customers can limit the impact of this vulnerability in these ways:

  • Access Reporter using a dedicated machine that does not connect to any other internal or external websites.
  • Update your browser regularly to take advantage of browser based protections.
  • Always log out and close the browser window when management tasks have been completed.

Patches

Reporter 9.3 – a fix is available in 9.3.3.2 for Windows, Linux and Virtual Reporter versions. The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/8793.

Reporter 9.2 and earlier – please upgrade to a later version.
 
Reporter 8.3 and earlier – please upgrade to a later version.

Advisory History

2012-12-12 Initial public release


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question