TITLE: Nortel SSL VPN Web Interface Arbitrary Command Execution Vulnerability SECUNIA ADVISORY ID: SA17974 VERIFY ADVISORY: http://secunia.com/advisories/17974/ CRITICAL: Moderately critical IMPACT: Cross Site Scripting, System access WHERE: >From remote OPERATING SYSTEM: Nortel Alteon SSL VPN http://secunia.com/product/2436/ DESCRIPTION: Daniel Fabian has reported a vulnerability in Nortel SSL VPN, which can be exploited by malicious people to conduct cross-site scripting attacks and potentially to compromise a user's system. Input passed to the "a" parameter in "tunnelform.yaws" of the web interface isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. It is reportedly possible to execute arbitrary commands on the user's browser by making use of the cryptographically signed Java Applet that is loaded by the web pages, and supplying the commands via a malicious link. Successful exploitation requires that the user is e.g. tricked into following a malicious link and to logon to the web interface of the VPN after following the link. The vulnerability has been reported in version 4.2.1.6. Prior versions may also be affected. SOLUTION: The vulnerability has reportedly been fixed in release v5.1.5. PROVIDED AND/OR DISCOVERED BY: Daniel Fabian, SEC-CONSULT ORIGINAL ADVISORY: SEC-CONSULT: http://www.sec-consult.com/247.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------