Re: [FD] “Steganos Online Shield VPN” leaks the user’s hostname in the HTTP “Via” header

[Adam Dodson]

Hi,

I forwarded these details to the Steganos dev team and they have just
addressed this issue with a software update yesterday :)

Regards,
Adam

>
> On Sun, Aug 10, 2014 at 7:45 AM, Stefan Paletta 
> wrote:
>
>> Hi!
>>
>> “Steganos Online Shield VPN” claims to enhance the user’s privacy online
>> ()
>> by, among other measures, (a) blocking advertisements in web pages, (b)
>> blocking tracking code in web pages,  and (c) replacing the browser’s
>> “User-Agent” header with a fixed value. The measures can be enabled
>> independent of each other and independent of other functionality of the
>> software (e.g. use of a VPN connection).
>>
>> Use of any feature (a) through (c) will enable a local HTTP proxy server
>> based on Node.js () and <
>> https://github.com/axiak/filternet>.
>>
>> When (a) and/or (b) are enabled, and (c) is not, the proxy will leak the
>> hostname of the machine in a “Via” header like so: “Via: 1.1 foobar:8123
>> (Steganos Online Shield)” (where “foobar” is the local hostname).
>>
>> The code is this <
>> https://github.com/axiak/filternet/blob/e910c3bf554ee1afa701cf5bd765396427ec/lib/proxy.js#L19>
>> (think %windir%\System32\HOSTNAME.EXE) and this <
>> https://github.com/axiak/filternet/blob/e910c3bf554ee1afa701cf5bd765396427ec/lib/proxy.js#L116
>> >.
>>
>> When (c) is enabled, custom code in the proxy will replace the
>> “User-Agent” header with a fixed value and replace the “Via” header with
>> the empty string (not remove it altogether), thereby mitigating the
>> information leak.
>>
>> The machine’s hostname is usually strongly connected to the user’s
>> identity (often containing their name). In addition to that, it is a strong
>> distinguisher that will allow a correlation of HTTP requests as originating
>> from the same machine (and thereby user, to some degree) even when these
>> requests are not otherwise related in any way.
>>
>> When reproducing, be careful that online services echoing back your HTTP
>> request may or may not echo a “Via” header when one is in fact present.
>>
>> –Stefan
>>
>> ___
>> Sent through the Full Disclosure mailing list
>> http://nmap.org/mailman/listinfo/fulldisclosure
>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
>
>

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] XSS Reflected vulnerability in RiverBed Stingray Traffic Manager Virtual Appliance V 9.6

[William Costa]

I. VULNERABILITY -

XSS Reflected vulnerability in RiverBed Stingray Traffic Manager Virtual
Appliance V 9.6

II. BACKGROUND
-
Silver Peak VX software marries the cost and flexibility benefits of
virtualization with the performance gains associated with Silver Peak WAN
optimization technology.

III. DESCRIPTION
-
Has been detected a XSS Reflected vulnerability in Riverbed Stingray
Traffic Manager Virtual Appliance V 9.6 "/apps/zxtm/locallog.cgi?logfile="
parameter "logfile" in version 9.6, that allows the execution of arbitrary
HTML/script code to be executed in the context of the victim user's
browser.

IV. PROOF OF CONCEPT
-
The application does not validate the parameter "logfile"
https://10.200.210.108:9090/apps/zxtm/locallog.cgi?logfile=alert(document.cookie);

V. BUSINESS IMPACT

-

Vulnerability allows the execution of arbitrary HTML/script code to be
executed in the context of the victim user's browser and Session hijacking.

VI. REQUIREMENTS
---
An Attacker needs to know the IP of the device.
An Administrator needs an authenticated connection to the device.

VII. SYSTEMS AFFECTED -
Try version 9.6 (patchlevel 9620140312)

VIII. SOLUTION -
All parameter must be validated. Riverbed not information about fix.

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Reminder: CFP closes next week for PacSec.jp in Tokyo Nov12-13

[Dragos Ruiu]

Next week we will begin the reviews and collation of talk submissions for
Tokyo.

Send your submissions to secwest14 [at] pacsec.jp . details on the site.

 

Thanks,

--dr


___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/