Palo Alto Networks PANOS <= 5.0.8 XSS
A couple of bugs exist in Palo Alto Networks PANOS <= 5.0.8 which can be exploited to conduct cross-site scripting attacks.
Certificate fields are displayed in the firewall web interface without proper sanitization applied to them. This way it is possible to inject html into the web interface.
Various file upload forms used by the firewall do not implement proper CSRF protection. import.certificate.php for example.
Example of a certificate containing html that will be rendered:
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
e5:67:53:d1:e4:2a:71:ec
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=XX, ST=, L=Default City, O=Default Company Ltd
Validity
Not Before: Oct 1 16:28:18 2013 GMT
Not After : Oct 1 16:28:18 2014 GMT
Subject: C=XX, ST=, L=Default City, O=Default Company Ltd
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:b1:d1:b4:9a:58:5e:20:99:15:03:f0:38:e5:dd:
11:f1:f1:14:26:3b:aa:6e:6b:c1:c1:28:01:be:d3:
93:e8:b5:fb:2e:a8:89:b2:87:56:93:54:60:a6:0c:
40:85:31:f8:9d:fd:00:0e:2f:f1:58:e6:a5:8a:0a:
67:57:70:06:13:02:2e:68:44:8b:a1:23:b1:bd:27:
d4:88:9d:f1:44:76:65:bb:e4:70:b5:fe:9c:21:57:
6a:11:df:56:b5:5d:c7:18:b9:b1:9a:81:c9:ae:80:
16:9d:11:76:e1:6f:a8:94:dd:01:02:c7:87:7e:cc:
b0:06:69:d5:84:79:64:45:d3
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
03:12:b6:12:74:67:8f:ac:e0:5f:02:31:b3:63:10:78:33:9d:
5e:c0:14:d9:d9:f6:ab:17:45:d3:fa:37:b8:c6:15:7c:24:a4:
83:61:c6:8c:92:1d:2b:2b:0d:f9:84:79:e7:db:26:07:63:e4:
9b:3a:3c:5f:a4:31:99:4e:79:30:95:a3:ce:86:9c:09:fa:e0:
3d:7b:c1:c4:ec:7a:79:b3:9c:7f:e2:36:3e:f2:40:cf:c0:57:
b0:4c:99:18:76:14:23:30:da:b3:90:2d:cd:af:65:80:bc:db:
db:3f:9e:44:a1:2e:5e:e2:29:83:ff:29:ec:17:df:8f:7b:55:
5d:ed
Example html source code to CSRF POST this rogue cert :
PA:
These issues have been fixed in PANOS 5.0.9, mentioned in the release notes like this:
57343—Fixed an issue that caused improper handling of imported certificates that contained HTML.