[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.13.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n
<\/span> Sophos UTM offers a web interface to manage quarantined mails. The web-based interface did not filter user controlled inputs sufficiently, resulting in multiple Cross-Site Scripting (XSS) vulnerabilities.<\/p>\n Sophos UTM is a firewall solution by Sophos. It implements a web interface that allows authenticated users to manage quarantined mails. Additionally, users can inspect the contents of mails.<\/p>\n Sophos UTM fails to sanitize the following contents of mails before reflecting them within the web interface:<\/p>\n As the mails are persistently stored, direct result of this behavior is stored XSS.<\/p>\n <\/span><\/p>\n 1. Send an e-mail that purposely is sent to quarantine by Sophos UTM. This can be for instance achieved by including the \"Generic Test for Unsolicited Bulk Email\" (GTUBE)<\/b><\/a> test string. Additionally, include the following markup:<\/p>\n [\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" global_colors_info=\"{}\"]<\/p>\n <iframe src=\"asd\"> [\/et_pb_text][et_pb_text _builder_version=\"4.13.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\" global_colors_info=\"{}\"]<\/p>\n 2. Access the SMTP quarantine interface and display the detail view of the previously sent mail.<\/p>\n 3. Observe that the XSS payload is executed within Sophos UTM's origin.<\/p>\n [\/et_pb_text][et_pb_text _builder_version=\"4.13.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n It is recommended to treat all input on the website as potentially dangerous. Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context. The majority of programming languages support standard procedures for encoding meta characters. For example, PHP has the built-in function htmlspecialchars()<\/strong>.<\/p>\n Additionally, all input should be validated on the server-side. Where possible, whitelist filters should be used. The more restrictive a filter can be specified, the better the protection it provides. Whitelisting is especially recommended if input values have a well defined format or a list of valid input values exists. Invalid values should not be sanitized and forwarded to the application. Instead, requests with invalid values should be rejected.<\/p>\n Further details on how to prevent XSS vulnerabilities can be obtained from OWASP<\/a>.<\/p>\n This security vulnerability was found by Daniel Hoffmann of usd AG.<\/p>\n<\/div>\n<\/div>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":" usd-2020-0106 (CVE-2021-25273) | Sophos UTM Advisory ID: usd-2020-0106CVE Number: CVE-2021-25273Affected Product: Sophos UTMAffected Version: <\u00a0UTM 9.706Vulnerability Type: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Security Risk: MediumVendor URL:\u00a0https:\/\/sophos.comVendor Status: Fixed Description Sophos UTM offers a web interface to manage quarantined mails. The web-based interface did not filter user controlled inputs sufficiently, resulting […]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-17540","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/17540","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=17540"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/17540\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=17540"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
Advisory ID<\/strong>: usd-2020-0106
CVE Number<\/strong>: CVE-2021-25273<\/a>
<\/span><\/span>Affected Product<\/strong>: Sophos UTM<\/span><\/span>
Affected Version<\/strong>: <\u00a0UTM 9.706<\/span>
Vulnerability Type<\/strong>: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<\/span>
Security Risk<\/strong>: Medium<\/span>
Vendor URL<\/strong>:\u00a0<\/span>https:\/\/sophos.com<\/a>
Vendor Status<\/strong>: Fixed<\/span><\/span><\/p>\nDescription<\/h3>\n
\n
Proof of Concept (PoC)<\/h3>\n
<img src=\"x:gif\" onerror=\"alert('asd')\"><\/img><\/p>\nFix<\/h3>\n
<\/h3>\n
References<\/h3>\n
\n
<\/h3>\n
Timeline<\/h3>\n
\n
<\/h3>\n
Credits<\/h3>\n