|Advisory Name||:||Reflected Cross-Site Scripting and Open Redirect in WatchGuard Fireware v11.11|
|Application||:||WatchGuard Fireware version 11.11 and earlier|
|Discovered by||:||Ryan Ward|
|Vendor Status||:||Resolved in v11.11.1 Fireware Update available from: https://www.watchguard.com/support/release-notes/fireware/11/en-US/EN_ReleaseNotes_Fireware_11_11_1/index.html#Fireware/en-US/EN_Release_Notes_Fireware.html|
Reflected Cross-Site-Scripting (Reflected XSS) and Open Redirection
Cross-Site-Scripting (XSS) is a vulnerability that occurs when user entered data is accepted by the server and returned in a response to the user without proper sanitisation, which allows an attacker to embed malicious scripts within a request which is later served to another user. Reflected XSS occurs when the malicious data is immediately returned in a response to a malicious request, whereas Stored XSS occurs when the malicious data is held by the application for some time before being embedded in a response (such as being stored in a database and then retrieved at a later date).
Open redirection vulnerabilities occur when an application incorporates user controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users.
A single parameter on the SSL-VPN authentication applet of WatchGuard firewalls running Fireware < v11.11.1 were found to be vulnerable to both Reflected Cross-Site Scripting (XSS) and Open Redirection. This would allow an attacker to launch XSS attacks against targeted users by sending them crafted links (for example, by sending a malicious link in a targeted email). The effects could, for example, include:
- Stealing access credentials from a targeted user as that user logs in
- Stealing an access token from a targeted user as that user logs in
- Displaying a malicious or political message to the user (virtual defacement)
The same parameter was also found to be vulnerable to an open redirect. https://Firewall_IP:4100/success.html?redirect=http://www.sec-1.com would redirect the users browser to the Sec-1 homepage.
As of Fireware 11.11.1 this vulnerability has been reported as being fixed by WatchGuard. Sec-1 would like to thank WatchGuard for their prompt and professional response.