Symantec Gateway Security Management Service Cross Site Scripting

Product: Symantec Gateway Security 2.0
Date: 02/25/2004
Author: Brian Soby, Raytheon


1.  Overview
----------------------------------------
A cross site scripting vulnerability exists in Symantec Gateway Security's 
management service which could allow an attacker to hijack a management 
session to the device.

2.  Vulnerability Description
----------------------------------------
A vulnerability exists in the Symantec Gateway Security management server 
object's handling of URLs when including them in error pages displayed to 
the requesting client.  No parsing is done to the URLs to ensure that HTML 
tags are not included and returned to the client.

3.  Conditions
---------------------------------------
The URL requested by the client must be handled by the Symantec Gateway 
Security's custom server object.  For example, any request for an object 
under the /sgmi directory is passed to the Symantec Gateway Security 
server object for processing. The attacker could present a URL in the form 
of https://FirewallHostname:2456/sgmi/<script>badscript</script> to the 
client.  SGS would display the URL back to the client, usually in a 404 
page or other error page, causing the execution of the script "badscript" 
in the context of the SGS device.

4. Impact
--------------------------------------
Malicious script can be executed in the context of a trusted device, 
authentication cookies can be stolen (including JSESSIONID cookie used to 
authenticate a management session), etc.  Because no access control policy 
restricts the access to the management service by default, an attacker who 
is able to obtain the JSESSIONID cookie for a valid session could connect 
from an untrusted network and assume management rights of the device.

5. Solution
--------------------------------------
Symantec has released a patch that addresses this issue.  It is available 
at
http://www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sym_gw_security_2_5400/files.html 
under hotfix ID SG8000-20040130-00.  This problem is described in the 
hotfix readme as a fix that "Changes the return page when management URL 
is requested incorrectly"

6. Disclaimer
--------------------------------------
The information in this advisory is believed to be accurate at the time of 
publishing based on currently available information. Use of the 
information constitutes acceptance for use in an AS IS condition.  There 
are no warranties, expressed or implied, with regard to this information. 
In no event shall the author be liable for any damages whatsoever arising 
out of or in connection with this information.

7. Copyright
--------------------------------------
Copyright (c) 2004 Raytheon.  Permission is hereby granted to redistribute 
this alert electronically, provided it is left whole and not modified in 
any way.