---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Stonesoft StoneGate SSL VPN Same Origin Policy Bypass SECUNIA ADVISORY ID: SA37788 VERIFY ADVISORY: http://secunia.com/advisories/37788/ DESCRIPTION: A vulnerability has been reported in StoneGate SSL VPN, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to the web-based VPN implementation prepending the same domain to all opened websites. This can be exploited to bypass a browser's same origin policy and e.g. access cookies for normally restricted domains by tricking a user into browsing to a malicious website via the VPN. SOLUTION: Deploy only trusted resources to the SSL VPN portal. Please see the vendor's advisory for more information. PROVIDED AND/OR DISCOVERED BY: US-CERT credits Michal Zalewski and Mike Zusman for the original report. Additional vulnerability details provided by David Warren and Ryan Giobbi of US-CERT. ORIGINAL ADVISORY: Stonesoft: http://www.stonesoft.com/en/support/security_advisories/2009_03_12.html US-CERT VU#261869: http://www.kb.cert.org/vuls/id/261869 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------