TITLE:  03-02-04 XSS Bug in NetScreen-SA 5000 Series of SSL VPN
appliance
 
SUMMARY
 
  Cross Site Scripting bug in the 'delhomepage.cgi' CGI binary in the
  NetScreen-SA 5000 Series SSL VPN appliance.
 

DETAILS
 
  There exists a cross-site scripting bug in 'row' parameter of the 
  'delhomepage.cgi' CGI binary.  This bug was discovered on an appliance

  known as an "A5030-Clustered pair" running firmware version 3.3 Patch
1
  (build 4797).  The vulnerability may exist in other versions.  This
issue
  may result in the theft of credentials such as session cookies, allow 
  hostile client-side scripts to run with unintended access privileges,
or 
  provide a means for a "phishing" attack.  For more detailed
descriptions 
  of Cross Site Scripting and its implications, please refer to
whitepapers 
  such as:
 
    http://www.cgisecurity.com/articles/xss-faq.shtml
    http://www.spidynamics.com/whitepapers/SPIcross-sitescripting.pdf
 
  The 'delhomepage.cgi' is accessible only by authenticated users.
 

WORKAROUND
 
  Upgrade to the patched version of IVE software.  Contact Netscreen
support
  for details.
 

ORIGINATOR
 
  The issue was discovered by Mark Lachniet of Analysts International 
  [lachniet -=at=- analysts.com] during a security analysis of the web 
  application interface of the device.  Analysts International's
security
  team provides a variety of security services and can be reached at
  [SecurityServices -=at=- analysts.com].
 

MAINTAINER
 
  The maintainer of the Netscreen IVE SSL VPN Appliance is the Netscreen
  Corporation [http://www.netscreen.com]. The following information
about
  security at Netscreen is taken from the Security Center web page at:
 
    http://www.netscreen.com/services/security/index.jsp
 
  "Please report any potential or real instances of a security
vulnerability 
   (with any NetScreen product or service) to the NetScreen Security
Alert 
   Team at security@netscreen.com . For immediate assistance, TAC isd  
   Available 24 hours a day by calling 1-877-NETSCREEN."
 
VENDOR RESPONSE
 
  In the opinion of the author, the Netscreen corporation responded
quickly 
  and efficiently to this issue, and clearly takes the security of their

  products seriously.  Netscreen should be commended for their prompt
and 
  professional handling of the issue.
 
DATE OF CONTACT
 
2/6/2004  - Sent E-Mail to Sriram Ramachandran [SRamachandran -=at=-  
            netscreen.com] and received response.  Immediately discussed

            issue via. conference call.  The bug was confirmed by the 
            Netscreen staff.
 

2/7/2004  - Draft advisory sent to Netscreen support staff
 
2/9/2004  - Ongoing dialog with Netscreen on issue
 
2/11/2004 - Ongoing dialog with Netscreen on issue
 
2/18/2004 - Ongoing dialog with Netscreen on issue
 
2/23/2004 - Ongoing dialog with Netscreen on issue
 
2/25/2004 - Advisory updated based on vendor response
 
3/02/2004 - Final advisory released