usd-2018-0032 | Riverbed SteelCentral AppResponse/9.6

Advisory ID: usd-2018-0032
CVE Number: N/A
Affected Product: SteelCentral AppResponse
Affected Version: 9.6
Vulnerability Type: Reflected Cross-Site-Scripting Vulnerability
Security Risk: Low
Vendor URL: https://support.riverbed.com/content/support/software/steelcentral-npm/appresponse.html
Vendor Status: Unknown

Description

A reflected XSS attack (or non-persistent attack) occurs when a malicious script is reflected off of a web application to the victim’s browser. The attack is typically delivered via email or a web site and activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts.

Proof of Concept

https://[Server IP]:8443/Login?login_source=%25%32%32%25%33%65%25%33%63%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%65%25%36%31%25%36%63%25%36%35%25%37%32%25%37%34%25%32%38%25%32%32%25%37%38%25%37%33%25%37%33%25%32%30%25%36%32%25%37%39%25%32%30%25%37%35%25%37%33%25%36%34%25%32%30%25%34%31%25%34%37%25%32%32%25%32%39%25%33%63%25%32%66%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%65

Fix

Make sure to encode the user supplied input.

Timeline

  • 2018-10-08 First contact request via support@riverbed.com
  • 2018-10-15 Second contact request via product-security@riverbed.com
  • 2018-10-17 Riverbed provided their PGP key
  • 2018-10-19 Riverbed received the advisory
  • 2018-10-23 Riverbed states to review the provided information
  • 2018-12-07 Sent disclosure reminder
  • 2018-12-07 Security advisory released

Credits

These security vulnerabilities were found by Christoph Cierpka and Lars Neumann of usd AG.