Vigil@nce - Blue Coat ProxySG: privilege escalation
August 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An administrator with limited rights can therefore execute any
administrative command via HTTPS.
Severity: 2/4
Creation date: 18/08/2010
DESCRIPTION OF THE VULNERABILITY
Blue Coat defines two administrative profiles with different
executive rights.
There is three ways to enter commands:
– the management console
– the commands line
– URL via HTTPS
For commands passed through the management console and commands
line, privileges are enforced. However, commands sends via URL are
not checked against privileges.
An administrator with limited rights can therefore execute any
administrative command via HTTPS.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Blue-Coat-ProxySG-privilege-escalation-9852