I. VULNERABILITY
-------------------------
Reflected XSS Attacks vulnerabilities in WatchGuard XTM 11.8
II. BACKGROUND
-------------------------
WatchGuard builds affordable, all-in-one network and content security
solutions to provide defense in depth for corporate content, networks and
the businesses they power.
III. DESCRIPTION
-------------------------
Has been detected a Reflected XSS vulnerability in XTM WatchGuard.
The code injection is done through the parameter "poll_name" in the
page "/firewall/policy?pol_name=(HERE XSS)"
IV. PROOF OF CONCEPT
-------------------------
The application does not validate the parameter "poll_name" correctly.
https://10.200.210.100:8080/firewall/policy?pol_name=qqq"><body
onload=alert(document.cookie)>&service=Any&is_new=1
V. BUSINESS IMPACT
-------------------------
An attacker can execute arbitrary HTML or script code in a targeted
user's browser, that allows the execution of arbitrary HTML/script
code to be executed in the context of the victim user's browser
allowing Cookie Theft/Session Hijacking, thus enabling full access the
box.
VI. SYSTEMS AFFECTED
-------------------------
Tested WatchGuard XTM Version: 11.8 (Build 432340)
VII. SOLUTION
-------------------------
All data received by the application and can be modified by the user,
before making any kind of transaction with them must be validated
VIII. References
-------------------------
http://www.kb.cert.org/vuls/id/807134
http://watchguardsecuritycenter.com/2014/03/13/fireware-xtm-11-8-3-update-corrects-xss-flaw/
By William Costa
william.costa@gmail.com
-------------------------
Reflected XSS Attacks vulnerabilities in WatchGuard XTM 11.8
II. BACKGROUND
-------------------------
WatchGuard builds affordable, all-in-one network and content security
solutions to provide defense in depth for corporate content, networks and
the businesses they power.
III. DESCRIPTION
-------------------------
Has been detected a Reflected XSS vulnerability in XTM WatchGuard.
The code injection is done through the parameter "poll_name" in the
page "/firewall/policy?pol_name=(HERE XSS)"
IV. PROOF OF CONCEPT
-------------------------
The application does not validate the parameter "poll_name" correctly.
https://10.200.210.100:8080/firewall/policy?pol_name=qqq"><body
onload=alert(document.cookie)>&service=Any&is_new=1
V. BUSINESS IMPACT
-------------------------
An attacker can execute arbitrary HTML or script code in a targeted
user's browser, that allows the execution of arbitrary HTML/script
code to be executed in the context of the victim user's browser
allowing Cookie Theft/Session Hijacking, thus enabling full access the
box.
VI. SYSTEMS AFFECTED
-------------------------
Tested WatchGuard XTM Version: 11.8 (Build 432340)
VII. SOLUTION
-------------------------
All data received by the application and can be modified by the user,
before making any kind of transaction with them must be validated
VIII. References
-------------------------
http://www.kb.cert.org/vuls/id/807134
http://watchguardsecuritycenter.com/2014/03/13/fireware-xtm-11-8-3-update-corrects-xss-flaw/
By William Costa
william.costa@gmail.com