Vigil@nce - ProxySG: redirect via Coaching Page
February 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can display a fake url in the Coaching Page of
ProxySG, in order to deceive the victim.
Impacted products: ProxySG, SGOS.
Severity: 2/4.
Creation date: 18/12/2015.
DESCRIPTION OF THE VULNERABILITY
The ProxySG product offers a Coaching Page, which requires an
approbation to the user before displaying a document.
This page indicates the url of the temporarily blocked document.
However, an attacker can create a special url, using a redirect,
so the displayed url is different from the destination url.
An attacker can therefore display a fake url in the Coaching Page
of ProxySG, in order to deceive the victim.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/ProxySG-redirect-via-Coaching-Page-18560