[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

some ooold Juniper bugs (was: [Full-disclosure] ZDI-10-231: Juniper Secure Access Series meeting_testjava.cgi XSS Vulnerability)

This reminded me of a bunch of problems I spotted in Juniper SSL VPN a
while ago; they are apparently fixed, but I don't recall seeing any
public vendor advisory / credit for reporting them - so here you go,
even if just for the record...

These were fixed by Juniper in IVE 6.3R1, 6.2R3, 6.1R5, 6.0R8, and 5.5
R7.1 over a year ago.

1) Auth bypass - IVE permitted just about any script on the box to be
invoked without authentication by going through a
/dana-na/download/?url= hop, for example:


2) XSS flaws (which are pretty bad in SSL VPN appliances, because they
completely trash the security model of this access mode):

This worked in IVE 6.2:

This worked with IVE 5.5 & Firefox:

This worked with IVE 5.5 & MSIE:

XSS + response splitting:


And some more vanilla XSSes: