MVSA-09-002


CVE:
CVE-2009-0063
Vendor:
Symantec
Products:
Brightmail Security Gateway

Vulnerabilities:
Multiple Reflected XSS

Risk:
Medium
Attack Vector:
From Remote
Authentication:
Required
References:
Symantec Security Response: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090423_01
 
Description
 
Symantec Brightmail Gateway Appliance is vulnerable to multiple reflected XSS attacks. When exploited by an authenticated user, the identified vulnerabilities could lead to Information Disclosure, Session Hijack, access to Intranet servers, or injecting malicious JavaScript and HTML code to request inappropriate materials 'on behalf' of the user(s) being attacked.

The vulnerable resources include edit.do, PatternFlow$viewReadOnly.flo, ComplianceFlow$edit.flo, saveSpamSettings.do and saveSpamSettings.do, as shown below:

        url_placeholder/edit.do?userID=%3Cscript%3Ealert(%27xss%27)%3C/script%3E
        url_placeholder/PatternFlow$viewReadOnly.flo?patternId=<STYLE>@import"javascript:alert('xss')";</STYLE>
        url_placeholder/ComplianceFlow$edit.flo?complianceFolderId=<img%20src="javascript:alert('xss')">
        url_placeholder/saveSpamSettings.do?...&updateTab="><script>alert('xss')</script>&…
        url_placeholder/runUtility.do?selectedHost=<img%20src="javascript:alert('xss')">


Affected Versions

Symantec Brightmail Gateway Appliance 8300 - All versions prior to 8.0.1

Symantec Mail Security Appliance 8200/8300 - All versions  


Mitigation

 

Vendor recommends upgrading to Symantec Brightmail Gateway version 8.0.1 or later.
Alternatively, please contact Symantec for technical support. 

Disclosure Timeline

25 January 2009: Vulnerabilities discovered and documented
28 January 2009: Vendor notified
02 February 2009: Vendor confirmed receiving the original reports
08 February 2009: Vendor confirmed the identified vulnerabilities
23 April 2009: Vendor released patches for reported vulnerabilities
23 February 2010: Current advisory published


 
MVSA-09-002
Dr. Marian Ventuneac

Comments