Executive Summary

This vulnerability affects Smoothwall Express 3.1-SP4-polar-x86_64-update9 and involves stored and reflected cross-site scripting (XSS) flaws in the urlfilter.cgi endpoint and other CGI scripts. Attackers can send specially crafted POST requests containing malicious JavaScript payloads in parameters such as REDIRECT_PAGE or CHILDREN. Because these inputs are not properly sanitized, the malicious scripts can be injected and executed in the browsers of users accessing the affected web interface.

The XSS vulnerabilities allow attackers to run arbitrary JavaScript code within the context of the Smoothwall web interface, potentially compromising user sessions or causing other malicious effects.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to attackers executing arbitrary JavaScript in the browsers of users interacting with the Smoothwall Express web interface. Such execution can result in session hijacking, where attackers steal user session tokens, defacement of the web interface, or other malicious actions that compromise the integrity and security of the system.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending crafted HTTP POST requests to the urlfilter.cgi endpoint on port 81 of the Smoothwall Express 3.1-SP4-polar-x86_64-update9 system. The requests should include malicious script payloads in parameters such as REDIRECT_PAGE or CHILDREN to test for cross-site scripting (XSS) vulnerabilities.'}, {'type': 'paragraph', 'content': "For example, you can use curl commands to send POST requests with JavaScript payloads like `'><script>alert(1)</script>` in the vulnerable parameters and observe if the script executes or is reflected in the response."}, {'type': 'list_item', 'content': 'curl -X POST http://<target-ip>:81/urlfilter.cgi -d "REDIRECT_PAGE=\'><script>alert(1)</script>"'}, {'type': 'list_item', 'content': 'curl -X POST http://<target-ip>:81/urlfilter.cgi -d "CHILDREN=\'><script>alert(1)</script>"'}, {'type': 'paragraph', 'content': 'If the response or the web interface executes or reflects the injected script, it indicates the presence of the XSS vulnerability.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the affected web interface, especially the urlfilter.cgi endpoint on port 81, to trusted users only.

Additionally, avoid using the vulnerable parameters (such as REDIRECT_PAGE and CHILDREN) with untrusted input and monitor for suspicious POST requests targeting these parameters.

Since the vulnerability arises from improper input sanitization, applying any available patches or updates from the vendor that address these XSS issues is critical.

If patches are not available, consider implementing web application firewall (WAF) rules to detect and block malicious script payloads in POST requests.

Useful 0 Not Useful 0