Bloxx Web Filtering contains multiple XSS, CSRF, and authentication bypass vulnerabilities.
According to Bloxx's website, Bloxx Web Filtering is a real-time Web content filter which performs live analysis and real-time categorization of Web pages to dramatically improve protection and security. Bloxx Web Filtering software contains multiple XSS, CSRF, and authentication bypass vulnerabilities which could allow an attacker to run arbitrary code.
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVE-2012-2563:
(2) The following menu functions in the Bloxx administrative interface are reported to be vulnerable to Persistent XSS. A malicious lower level administrator that has access to one of these functions could inject malicious code targeting a higher level administrator to escalate privileges or execute arbitrary code. Reported menu functions affected:
CWE-352: Cross-Site Request Forgery (CSRF) CVE-2012-2564:
(3) It has been reported that all the functions on the Bloxx administrative interface are vulnerable to CSRF. A malicious user could craft a specialized web page and force a Bloxx administrator to execute unwanted actions on the Bloxx administrative interface in which they are currently authenticated. It is not required that the Bloxx administrator have a window open to the administrative interface. If the Bloxx administrator did not use the "Log out" link, even closing the browser window could still leave the session open.
(4) The Bloxx Web Filtering device uses Microdasys for SSL interception. When a user tries to use HTTPS to connect to a site that does not support HTTPS, a Microdasys SSL error page is displayed to the user. This error page is vulnerable to a reflected XSS attack. A malicious user can send a crafted HTTPS URL for a site that does not support HTTPS that contains malicious code to a victim. When the victim tries to connect to the crafted URL, the Microdasys engine will try to connect over HTTPS to the URL. The connection will fail since the target site does not support HTTPS and the Microdasys SSL error page will be presented to the user which includes the unsanitized URL.
CWE-257: Storing Passwords in a Recoverable Format CVE-2012-2565:
(5) The Bloxx administrative interface has a function to backup the current configuration and save it to a file. The file that is saved includes all the configuration information of the Bloxx device including the administrator user credentials. The user information includes the username, administrative level, email address, and a SHA-1 hash of the password. If a malicious lower level administrator has access to the backup functionality or a malicious user has access to the backup file, they could extract the SHA-1 hashes to be cracked. No salt is implemented so the hashes can be cracked against a rainbow table. If a malicious lower level administrator also has rights to
restore a backup file, they could replace the password of a higher level administrator account with a hash with their own.
CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax CVE-2012-2566:
(6) An unauthenticated user can bypass the IP restriction and falsify the logs for HTTPS sites by inserting the X-Forwarded-For HTTP header with the value of an authorized IP address. A malicious user could also connect via HTTPS to a site that does not support HTTPS with the X-Forwarded-For header and the entry in the Bloxx logs will record it as a connection to a HTTP site. For example, a malicious user could direct requests to non-approved websites, such as https://www.website.com, and the Bloxx logs will reflect that the victim has visited http://www.website.com and other adult websites.
The CVSS score below applies to CVE-2012-2564.
An attacker with access to the Bloxx Web Filtering management web interface can conduct a cross-site scripting or cross-site request forgery attack, which could be used to result in information leakage, privilege escalation, and/or denial of service. An attacker with access to the Bloxx backup configuration files could recover the password hashes of the administrator account or possibly change the administrator account password.
Thanks to Travis Lee for reporting this vulnerability.
This document was written by Michael Orlando.