Juniper Secure Access Series meeting_testjava.cgi XSS Vulnerability
ZDI-10-231: November 7th, 2010CVSS Score
Affected Vendors
Affected Products
TippingPoint™ IPS Customer Protection
TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 10605. For further product information on the TippingPoint IPS:Vulnerability Details
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Juniper SA Series devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the meeting_testjava.cgi page which is used to test JVM compatibility. When handling the DSID HTTP header the code allows an attacker to inject arbitrary javascript into the page. This can be abused by an attacker to perform a cross-site scripting attack on the device.
Vendor Response
Juniper states:The fix to this issue is now available for download on the vendor's website. The issue has been resolved in IVE OS 6.5r7 (Build 16789) and
7.0r3 (Build 16899).
A product security notice, PSN-2010-11-983, has been released by the vendor. Customers can sign up for proactive alerts of IVE OS software releases by visiting the Juniper Networks Support Center and selecting "Subscribe to Email Alerts" under Technical Bulletins.
Disclosure Timeline
-
2010-10-15 - Vulnerability reported to vendor
2010-11-07 - Coordinated public release of advisory
Credit
This vulnerability was discovered by:-
Davy Douhine
