Vigil@nce: JUNOS, Cross Site Scripting of J-Web
October 2009 by Vigil@nce
An attacker can generate several Cross Site Scripting in the web
interface of JUNOS.
Severity: 2/4
Consequences: client access/rights
Provenance: document
Means of attack: 5 attacks
Ability of attacker: beginner (1/4)
Confidence: unique source (2/5)
Diffusion of the vulnerable configuration: high (3/3)
Number of vulnerabilities in this bulletin: 5
Creation date: 29/09/2009
IMPACTED PRODUCTS
– Juniper JUNOS
DESCRIPTION OF THE VULNERABILITY
A JUNOS product can be administered via its J-Web interface. An
attacker can generate several Cross Site Scripting in this web
interface.
When the url contains a quote character ("), followed by
JavaScript code, it is executed in the context of the web site.
[grav:2/4; PR09-08]
The "ping" and "traceroute" tools in the "/diagnose" page do not
filter their "host" parameter. [grav:2/4; PR09-09]
The "/configuration" script does not filter its posted parameters
: probe-limit, wizard_ids, pager-new-identifier,
os-physical-interface-name, wizard-args, wizard-ids, username,
fullname, certname, certbody and wizard-next. [grav:1/4; PR09-09]
Several scripts do not check their parameters. [grav:2/4; PR09-10]
Values entered in the SNMP configuration page are not filtered
before being displayed. [grav:1/4; PR09-10]
An attacker can therefore invite the victim to display a malicious
HTML page, in order to execute script code in the context of the
J-Web web site.
CHARACTERISTICS
Identifiers: BID-36537, PR09-08, PR09-09, PR09-10,
VIGILANCE-VUL-9054
http://vigilance.fr/vulnerability/JUNOS-Cross-Site-Scripting-of-J-Web-9054