Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2012.0176
A vulnerability has been identified in BlueCoat Reporter
14 December 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BlueCoat Reporter
Operating System: Windows
Linux variants
VMWare ESX Server
Impact/Access: Cross-site Request Forgery -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
Member content until: Sunday, January 13 2013
OVERVIEW
A number of vulnerabilities have been identified in BlueCoat
Reporter prior to version 9.4. [1]
IMPACT
The vendor has provided the following details regarding these
issues:
"Reporter is vulnerable to reflected (non-persistent) cross site
scripting (XSS) attacks. User provided data is not validated or
sanitized prior to returning it in response to methods issued from
the client. The CVSS score for the cross site scripting
vulnerability is 2.3 (AV:A/AC:M/Au:S/C:N/I:P/A:N).
Reporter is also vulnerable to cross site request forgery (CSRF)
through a variety of mechanisms. An attacker who lures a Reporter
administrator to browse a malicious website can use cross site
request forgery (CSRF) to submit commands to Reporter and gain
control of the product. Commands that the attacker can submit
include changing the password, changing the policy, and restarting
the product. The CVSS score for the CSRF vulnerability is 7.9
(AV:A/AC:M/Au:N/C:C/I:C/A:C)." [1]
MITIGATION
The vendor recommends updating to the latest version of BlueCoat
Reporter to correct these issues. [1]
REFERENCES
[1] December 12, 2012 Cross Site Scripting and Cross Site Request
Forgery vulnerabilities in Reporter
https://kb.bluecoat.com/index?page=content&id=SA72
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUMqn6+4yVqjM2NGpAQLUpw/+Mtm3c3TI4bfRJDrA2+N7bQFTL1HHyWSo
qMo8Cv6ROsiNXugg37g86ImZVFK3XJpJJZzNUlUFZkxVbKBSAJS5DCatU3JMGk1w
fNcfphDtGxZa3rusZaVR1iRNPtwCOztDuuWqbXGm+r+Q5ADBlZZdZC2iyCPlozRk
upZLy3/l25t6g87ZtC/8ksmAq+Ogrf+DHXdwGXApNXj5hA3lIGajrP7ta7RDMJIJ
u41VxtblNeWXOip1uqiQiPlV4lUB21kdCETRG8NEZU6+DFz2tS7feBWGeylGdv4p
snOFmb6tkM9ZxeldHobM6Ui2xOFltUO83MqmMJ+ZQPviu5Io4cGdVl/ReLdoZhBj
QWcbBJJFY9jBI4RW2YokqrXZuQBHOUse7E3LsHKHdyhFcn5WJPK9bcLtfr4vbHlJ
LnL7sMgmp3MoRUJ1Am4WPDnolnO4XCulzUSKypu9ppD1QnuLdsEaGTdUhxWWKh2H
upRKpoUZPuRi884oWBJM+hyUXo4UCWhf+Dot0tI+ikC489KBERtaKPjJ+kWBitN7
aiNubkTN7OP0sRimL1WEO0NIxcGEHG+aEj5hFMc8yIHqNls+kE1DfZkYq+DiuTpR
gtwXeTERFJByBT01hwHx1TaPl5r7GaGUzm4KZDll8GD5rOHy07/j4eY8GAJ0/my8
NPLrkH2hS38=
=hFgF
-----END PGP SIGNATURE-----