Details of VAR-200909-0226

ID

VAR-200909-0226

CVE

CVE-2009-3485

TITLE

Juniper JUNOS of J-Web Interface cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2009-005013

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the J-Web interface in Juniper JUNOS 8.5R1.14 and 9.0R1.1 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI. Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible. This issue affects the following: J-Web 8.5R1.14 J-Web 9.0R1.1. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Juniper JUNOS JWeb Multiple Vulnerabilities SECUNIA ADVISORY ID: SA36829 VERIFY ADVISORY: http://secunia.com/advisories/36829/ DESCRIPTION: Some vulnerabilities have been reported in Juniper JUNOS, which can be exploited by malicious people to conduct cross-site scripting attacks and by malicious users to conduct script insertion attacks. 1) Input passed via the URL to the JWeb administrative web interface is not properly sanitised before being returned to the user. 2) Input passed via multiple parameters to the JWeb administrative web interface is not properly sanitised before being returned to the user. The following parameters passed to the following scripts are reportedly affected: * "host" to /diagnose?m[]=pinghost and /diagnose?m[]=traceroute * "probe-limit" to /configuration?m[]=wizards&m[]=rpm * "wizard_ids" and "pager-new-identifier" to /configuration?m[]=wizards&m[]=firewall-acl&m[]=firewall-filters * "os-physical-interface-name" to /configuration?m[]=wizards&m[]=cos&m[]=cos-interfaces * "wizard-args" and "wizard-ids" to /configuration?m[]=wizards&m[]=snmp * "username" and "fullname" to /configuration?m[]=wizards&m[]=users * "certname" and "certbody" to /configuration?m[]=wizards&m[]=https 3) Input passed via multiple parameters to the JWeb administrative web interface is not properly sanitised before being returned to the user. The following parameters passed to the following scripts are reportedly affected: * "JEXEC_OUTID" to /jexec?JEXEC_MODE=JEXEC_MODE_RELAY_OUTPUT&JEXEC_RPC=request-background-task-start-junoscript * "act" to /scripter.php?debug=1&ifid=1&refresh-time=1 * "refresh-time" to /scripter.php * "ifid" to /scripter?act=header * "revision" to /configuration?m[]=history&action=rollback * "m[]" to /monitor, /manage, /events, /configuration, /alarms, and / " "wizard-next" to /configuration?m[]=wizards&m[]=https 4) Input passed via the "Contact Information", "System Description", "Local Engine ID", "System Location", and "System Name Override" fields to /configuration?m[]=wizards&m[]=snmp&start=true is not properly sanitised before being stored. Vulnerability #1 is reported in JWeb version 8.5R1.14 and 9.0R1.1. Vulnerabilities #2 through #4 are reported in version 8.5R1.14. SOLUTION: Filter malicious characters and character sequences in a web proxy. PROVIDED AND/OR DISCOVERED BY: 1, 2) Amir Azam of ProCheckUp Ltd 3, 4) Richard Brain of ProCheckUp Ltd ORIGINAL ADVISORY: http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-08 http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-09 http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-10 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.07

sources: NVD: CVE-2009-3485 // JVNDB: JVNDB-2009-005013 // BID: 36537 // VULHUB: VHN-40931 // PACKETSTORM: 81711

AFFECTED PRODUCTS

vendor:	juniper	model:	junos	scope:	eq	version:	9.0	Trust: 1.6
vendor:	juniper	model:	junos	scope:	eq	version:	8.5	Trust: 1.6
vendor:	juniper	model:	junos os	scope:	eq	version:	8.5r1.14 and 9.0r1.1	Trust: 0.8
vendor:	juniper	model:	networks junos r1.1	scope:	eq	version:	9.0	Trust: 0.3
vendor:	juniper	model:	networks junos r1.14	scope:	eq	version:	8.5	Trust: 0.3

sources: BID: 36537 // JVNDB: JVNDB-2009-005013 // CNNVD: CNNVD-200910-074 // NVD: CVE-2009-3485

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2009-3485
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2009-3485
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-200910-074
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-40931
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2009-3485
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-40931
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-40931 // JVNDB: JVNDB-2009-005013 // CNNVD: CNNVD-200910-074 // NVD: CVE-2009-3485

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-40931 // JVNDB: JVNDB-2009-005013 // NVD: CVE-2009-3485

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200910-074

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 81711 // CNNVD: CNNVD-200910-074

CONFIGURATIONS

sources: JVNDB: JVNDB-2009-005013

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-40931

PATCH

title:

Top Page

url:

http://www.juniper.net/us/en/

Trust: 0.8

sources: JVNDB: JVNDB-2009-005013

EXTERNAL IDS

db:	NVD	id:	CVE-2009-3485	Trust: 2.5
db:	BID	id:	36537	Trust: 2.0
db:	SECUNIA	id:	36829	Trust: 1.8
db:	VUPEN	id:	ADV-2009-2784	Trust: 1.7
db:	JVNDB	id:	JVNDB-2009-005013	Trust: 0.8
db:	CNNVD	id:	CNNVD-200910-074	Trust: 0.7
db:	EXPLOIT-DB	id:	33257	Trust: 0.1
db:	SEEBUG	id:	SSVID-86493	Trust: 0.1
db:	VULHUB	id:	VHN-40931	Trust: 0.1
db:	PACKETSTORM	id:	81711	Trust: 0.1

sources: VULHUB: VHN-40931 // BID: 36537 // JVNDB: JVNDB-2009-005013 // PACKETSTORM: 81711 // CNNVD: CNNVD-200910-074 // NVD: CVE-2009-3485

REFERENCES

url:	http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-08	Trust: 2.1
url:	http://www.securityfocus.com/bid/36537	Trust: 1.7
url:	http://secunia.com/advisories/36829	Trust: 1.7
url:	http://www.vupen.com/english/advisories/2009/2784	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-3485	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-3485	Trust: 0.8
url:	http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-09	Trust: 0.4
url:	http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-10	Trust: 0.4
url:	http://www.juniper.net/	Trust: 0.3
url:	http://secunia.com/advisories/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/advisories/36829/	Trust: 0.1
url:	http://secunia.com/advisories/business_solutions/	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://secunia.com/advisories/about_secunia_advisories/	Trust: 0.1

sources: VULHUB: VHN-40931 // BID: 36537 // JVNDB: JVNDB-2009-005013 // PACKETSTORM: 81711 // CNNVD: CNNVD-200910-074 // NVD: CVE-2009-3485

CREDITS

Amir Azam, Richard Brain

Trust: 0.9

sources: BID: 36537 // CNNVD: CNNVD-200910-074

SOURCES

db:	VULHUB	id:	VHN-40931
db:	BID	id:	36537
db:	JVNDB	id:	JVNDB-2009-005013
db:	PACKETSTORM	id:	81711
db:	CNNVD	id:	CNNVD-200910-074
db:	NVD	id:	CVE-2009-3485

LAST UPDATE DATE

2025-04-10T23:06:56.698000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-40931	date:	2009-10-05T00:00:00
db:	BID	id:	36537	date:	2009-09-29T16:40:00
db:	JVNDB	id:	JVNDB-2009-005013	date:	2012-09-25T00:00:00
db:	CNNVD	id:	CNNVD-200910-074	date:	2009-10-05T00:00:00
db:	NVD	id:	CVE-2009-3485	date:	2025-04-09T00:30:58.490

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-40931	date:	2009-09-30T00:00:00
db:	BID	id:	36537	date:	2009-09-22T00:00:00
db:	JVNDB	id:	JVNDB-2009-005013	date:	2012-09-25T00:00:00
db:	PACKETSTORM	id:	81711	date:	2009-09-29T12:47:23
db:	CNNVD	id:	CNNVD-200910-074	date:	2009-09-30T00:00:00
db:	NVD	id:	CVE-2009-3485	date:	2009-09-30T15:30:00.467