Vigil@nce: ProxySG, Cross Site Scripting
October 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can use a Cross Site Scripting of ProxySG, in order to
force the execution of CLI commands by the administrator.
– Severity: 2/4
– Creation date: 04/10/2010
DESCRIPTION OF THE VULNERABILITY
The ProxySG administrator has to authenticate to access to the web
administration console.
ProxySG does not filter some parameters before displaying them in
the HTML page. An attacker can thus invite the administrator to
display a special url, which displays a page containing JavaScript
code. As the administrator is authenticated, this code is allowed
to execute CLI commands.
An attacker can therefore use a Cross Site Scripting of ProxySG,
in order to force the execution of CLI commands by the
administrator.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/ProxySG-Cross-Site-Scripting-9994