CyberGuard proxy / firewall XSS

[Jamie Fisher <contact_jamie_fisher () yahoo co uk>]

Overview:

Vendor : CyberGuard
URL    : <A HREF="http://www.cyberguard.com";>http://www.cyberguard.com</A>
Version: 5.1 - Other versions have not been not tested
Issue  : Cross Site Script
Impact : Low - Medium

Description:

<A HREF="http://www.cyberguard.com/solutions/product_overview.cfm";>Overview of product</A>

Problem:

By issuing a GET request for an invalid Internet domain name <A HREF="http://domain.tld";>http://domain.tld</A> through 
the CyberGuard proxy from an internal network to the Internet, it is possible to append a basic syntax for a Cross Site 
Script...

For instance: <A HREF="http://domain.tld&lt;script&gt;alert('test')&lt;/script&gt;">Click here</A>.

Variants have been tested and it is possible to also include images on the error page.

For instance: it is possible to specify an image with the &lt;img src&gt; tag while also specifying a Cross Site Script 
- in the same address &lt;script&gt;alert('test')&lt;/script&gt;

Should you be 'vulnerable' to the CyberGuard proxy / firewall CSS then you should see a similar page or a variant 
depending on the configuaration.

As http (through the GUI) can be used as a mechanism whereby access to the the logs can be viewed, it may be possible 
for a miscreant to, through the usual obfuscation methods (encoding types) trick an administrator of the CyberGuard 
proxy / firewall into clicking on a Cross Site Script to gain privileged user credentials by specifying the 
(document.cookie) with a refer to a file where the user credentials can be collected for the purpose of executing by 
loading the credentials into the Achilies (or similar) proxy.

Note: this method of attack is yet untested.

Possible Solution:

Input validation of code executed on the CyberGuard proxy / firewall.
Configure the Cyberguard proxy / firewall so that management access can only be accessed via SSH.

Solution:

See Vendor for solution.

Vendor Notification:

Yes

Credit:

Everyone doing IT Security