============================================
Securus Global
"Trusted Security Solutions"
 
BlueCoat Courtesy Page Cross Site Scripting
============================================
 
---[ Advisory Information
 
Advisory ID: SG-2008-01
Advisory URL:
Date published:
Vendors contacted: BlueCoat
Remotely Exploitable: Yes (client side)
Locally Exploitable: No
 
---[ Synopsis
 
When the BlueCoat? proxy systems determine that an antivirus scan of a
file is taking a noticeable amount of time, it presents the user with a
courtesy page informing the user that the file is currently being
scanned. This page provides a status bar detailing the progress of the
scanning and includes the URL of the file that is currently being
scanned. This URL is not properly sanitized, allowing custom content to
be included in the page.

This vulnerability was independently discovered by Juan Pablo Lopez Yacubian.
 
---[ Confirmed Vulnerable Packages
 
SGOS 5.2.4.6 PR
 
---[ Non-vulnerable Packages
 
Has not been researched.
 
---[ Technical Description / Proof of Concept Code
 
Several exploitation methods exist for this vulnerability. The most
basic of which consists of presenting a user with a link to content on a
trusted page, such as an intranet server, or a trusted external web
site. Any content that can cause this courtesy page to be presented
during scanning can be used in this attack. Essentially, a meaningless
argument can be appended the URL of any content that will be scanned and
this argument will be included inside the source of the courtesy page.
 
For example, if the website http://www.testsite.com were hosting the
file OEtest.pdf?, and this file were large enough to cause the courtesy
page to be presented to the user, the following link will insert a
JavaScript alert into the courtesy page:
 
http://www.testsite.com/test.pdf?anything="><script>alert(OEXSS?)</script><scri
pt>
 
---[ Vendor Information, Solutions and Workarounds
 
Disable the courtesy page. Currently no vendor patch is available.