Multiple Cross-Site Scripting vulnerabilities in Websense Reporting

Abstract

It has been found that Websense Reporting is affected by multiple Cross-Site Scripting issues. Cross-Site Scripting allows an attacker to perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Tested versions

This issue was discovered on Websense Triton v7.8.3 and Websense appliance modules V-Series v7.7. Other versions may be affected as well.

Fix

Websense released hotfix 02 for Websense Triton v7.8.4 in which this issue is fixed. More information can be found on the vendor's website.

This issue is resolved in TRITON APX Version 8.0. More information about the fixed can be found at the following location: https://support.forcepoint.com/KBArticle?id=Vulnerabilities-resolved-in-TRITON-APX-Version-8-0

Introduction

Websense Data Security Suite contains three modules - Data Security Gateway, Data Discover, and Data Endpoint - that can help manage the risk of losing your data to malicious users or accidental misuse.

It has been found that Websense Reporting is affected by multiple Cross-Site Scripting issues. Various request parameters are not properly encoded when using in a (HTML) report. This allows attackers to inject arbitrary client-side scripting code in the output of Websense Reporting.

Details

One example of a vulnerable request parameter is the col. Its value is copied into the value of an HTML tag attribute; encapsulated in double quotation marks. The value echoed unmodified (without output encoding) in the application's response. This vulnerability can be reproduced using the following steps:

  • login into Admin GUI;
  • open the proof of concept below;
  • hover over 'Risk Class' in left corner.

https://:9443/explorer_wse/explorer_anon.exe?col=a86de%27onmouseover%3d%27alert%28document.cookie%29%27de90f&delAdmin=0&startDate=2014-07-31&endDate=2014-08-01

An attacker must trick victims into opening the attacker's specially crafted link. This is for example possible by sending a victim a link in an email or instant message. Once a victim opens the specially crafted link, arbitrary client-side scripting code will be executed in the victim's browser. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session tokens or login credentials, performing arbitrary actions on their behalf, logging their keystrokes.

Questions or feedback?