MVSA-09-002

CVE:		CVE-2009-0063
Vendor:		Symantec
Products:		Brightmail Security Gateway
Vulnerabilities:		Multiple Reflected XSS
Risk:		Medium
Attack Vector:		From Remote
Authentication:		Required
References:		Symantec Security Response: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090423_01

Description

Symantec Brightmail Gateway Appliance is vulnerable to multiple reflected XSS attacks. When exploited by an authenticated user, the identified vulnerabilities could lead to Information Disclosure, Session Hijack, access to Intranet servers, or injecting malicious JavaScript and HTML code to request inappropriate materials 'on behalf' of the user(s) being attacked.

The vulnerable resources include edit.do, PatternFlow$viewReadOnly.flo, ComplianceFlow$edit.flo, saveSpamSettings.do and saveSpamSettings.do, as shown below:

       url_placeholder/edit.do?userID=%3Cscript%3Ealert(%27xss%27)%3C/script%3E
       url_placeholder/PatternFlow$viewReadOnly.flo?patternId=<STYLE>@import"javascript:alert('xss')";</STYLE>
       url_placeholder/ComplianceFlow$edit.flo?complianceFolderId=<img%20src="javascript:alert('xss')">
       url_placeholder/saveSpamSettings.do?...&updateTab="><script>alert('xss')</script>&…
       url_placeholder/runUtility.do?selectedHost=<img%20src="javascript:alert('xss')">

Affected Versions

Symantec Brightmail Gateway Appliance 8300 - All versions prior to 8.0.1

Symantec Mail Security Appliance 8200/8300 - All versions

Mitigation

Vendor recommends upgrading to Symantec Brightmail Gateway version 8.0.1 or later.

Alternatively, please contact Symantec for technical support.

Disclosure Timeline

25 January 2009: Vulnerabilities discovered and documented
28 January 2009: Vendor notified
02 February 2009: Vendor confirmed receiving the original reports
08 February 2009: Vendor confirmed the identified vulnerabilities
23 April 2009: Vendor released patches for reported vulnerabilities
23 February 2010: Current advisory published

MVSA-09-002

Dr. Marian Ventuneac

Comments

Marian Ventuneac	Search this site