ID
VAR-200909-0227
CVE
CVE-2009-3486
TITLE
Juniper JUNOS of J-Web Interface cross-site scripting vulnerability
Trust: 0.8
DESCRIPTION
Multiple cross-site scripting (XSS) vulnerabilities in the J-Web interface in Juniper JUNOS 8.5R1.14 allow remote authenticated users to inject arbitrary web script or HTML via the host parameter to (1) the pinghost program, reachable through the diagnose program; or (2) the traceroute program, reachable through the diagnose program; or (3) the probe-limit parameter to the configuration program; the (4) wizard-ids or (5) pager-new-identifier parameter in a firewall-filters action to the configuration program; (6) the cos-physical-interface-name parameter in a cos-physical-interfaces-edit action to the configuration program; the (7) wizard-args or (8) wizard-ids parameter in an snmp action to the configuration program; the (9) username or (10) fullname parameter in a users action to the configuration program; or the (11) certname or (12) certbody parameter in a local-cert (aka https) action to the configuration program. Juniper JUNOS of J-Web The interface contains a cross-site scripting vulnerability.Depending on the remote authenticated user, host Any via parameter Web Script or HTML May be inserted. Juniper Networks JUNOS is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data to J-Web (Juniper Web Management). Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible. This issue affects the following: J-Web 8.5R1.14 J-Web 9.0R1.1. JUNOS is prone to a cross-site scripting vulnerability. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Juniper JUNOS JWeb Multiple Vulnerabilities SECUNIA ADVISORY ID: SA36829 VERIFY ADVISORY: http://secunia.com/advisories/36829/ DESCRIPTION: Some vulnerabilities have been reported in Juniper JUNOS, which can be exploited by malicious people to conduct cross-site scripting attacks and by malicious users to conduct script insertion attacks. 1) Input passed via the URL to the JWeb administrative web interface is not properly sanitised before being returned to the user. 2) Input passed via multiple parameters to the JWeb administrative web interface is not properly sanitised before being returned to the user. The following parameters passed to the following scripts are reportedly affected: * "host" to /diagnose?m[]=pinghost and /diagnose?m[]=traceroute * "probe-limit" to /configuration?m[]=wizards&m[]=rpm * "wizard_ids" and "pager-new-identifier" to /configuration?m[]=wizards&m[]=firewall-acl&m[]=firewall-filters * "os-physical-interface-name" to /configuration?m[]=wizards&m[]=cos&m[]=cos-interfaces * "wizard-args" and "wizard-ids" to /configuration?m[]=wizards&m[]=snmp * "username" and "fullname" to /configuration?m[]=wizards&m[]=users * "certname" and "certbody" to /configuration?m[]=wizards&m[]=https 3) Input passed via multiple parameters to the JWeb administrative web interface is not properly sanitised before being returned to the user. The following parameters passed to the following scripts are reportedly affected: * "JEXEC_OUTID" to /jexec?JEXEC_MODE=JEXEC_MODE_RELAY_OUTPUT&JEXEC_RPC=request-background-task-start-junoscript * "act" to /scripter.php?debug=1&ifid=1&refresh-time=1 * "refresh-time" to /scripter.php * "ifid" to /scripter?act=header * "revision" to /configuration?m[]=history&action=rollback * "m[]" to /monitor, /manage, /events, /configuration, /alarms, and / " "wizard-next" to /configuration?m[]=wizards&m[]=https 4) Input passed via the "Contact Information", "System Description", "Local Engine ID", "System Location", and "System Name Override" fields to /configuration?m[]=wizards&m[]=snmp&start=true is not properly sanitised before being stored. Vulnerability #1 is reported in JWeb version 8.5R1.14 and 9.0R1.1. Vulnerabilities #2 through #4 are reported in version 8.5R1.14. SOLUTION: Filter malicious characters and character sequences in a web proxy. PROVIDED AND/OR DISCOVERED BY: 1, 2) Amir Azam of ProCheckUp Ltd 3, 4) Richard Brain of ProCheckUp Ltd ORIGINAL ADVISORY: http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-08 http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-09 http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-10 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
Trust: 2.34
AFFECTED PRODUCTS
| vendor: | juniper | model: | junos | scope: | eq | version: | 8.5 | Trust: 1.6 |
| vendor: | juniper | model: | junos os | scope: | eq | version: | 8.5r1.14 | Trust: 0.8 |
| vendor: | juniper | model: | networks junos r1.1 | scope: | eq | version: | 9.0 | Trust: 0.3 |
| vendor: | juniper | model: | networks junos r1.14 | scope: | eq | version: | 8.5 | Trust: 0.3 |
| vendor: | juniper | model: | junos r1.14 | scope: | eq | version: | 8.5 | Trust: 0.3 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
PROBLEMTYPE DATA
| problemtype: | CWE-79 | Trust: 1.9 |
THREAT TYPE
network
Trust: 0.6
TYPE
xss
Trust: 0.7
CONFIGURATIONS
EXPLOIT AVAILABILITY
PATCH
| title: | Top Page | url: | http://www.juniper.net/us/en/ | Trust: 0.8 |
EXTERNAL IDS
| db: | NVD | id: | CVE-2009-3486 | Trust: 2.8 |
| db: | BID | id: | 36537 | Trust: 2.3 |
| db: | SECUNIA | id: | 36829 | Trust: 1.8 |
| db: | VUPEN | id: | ADV-2009-2784 | Trust: 1.7 |
| db: | JVNDB | id: | JVNDB-2009-005014 | Trust: 0.8 |
| db: | CNNVD | id: | CNNVD-200910-075 | Trust: 0.7 |
| db: | BID | id: | 80431 | Trust: 0.4 |
| db: | EXPLOIT-DB | id: | 33259 | Trust: 0.1 |
| db: | EXPLOIT-DB | id: | 33258 | Trust: 0.1 |
| db: | SEEBUG | id: | SSVID-86495 | Trust: 0.1 |
| db: | SEEBUG | id: | SSVID-86494 | Trust: 0.1 |
| db: | VULHUB | id: | VHN-40932 | Trust: 0.1 |
| db: | PACKETSTORM | id: | 81711 | Trust: 0.1 |
REFERENCES
| url: | http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-09 | Trust: 2.4 |
| url: | http://www.securityfocus.com/bid/36537 | Trust: 2.0 |
| url: | http://secunia.com/advisories/36829 | Trust: 1.7 |
| url: | http://www.vupen.com/english/advisories/2009/2784 | Trust: 1.7 |
| url: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-3486 | Trust: 0.8 |
| url: | http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-3486 | Trust: 0.8 |
| url: | http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-08 | Trust: 0.4 |
| url: | http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-10 | Trust: 0.4 |
| url: | http://www.juniper.net/ | Trust: 0.3 |
| url: | http://secunia.com/advisories/secunia_security_advisories/ | Trust: 0.1 |
| url: | http://secunia.com/advisories/36829/ | Trust: 0.1 |
| url: | http://secunia.com/advisories/business_solutions/ | Trust: 0.1 |
| url: | http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org | Trust: 0.1 |
| url: | http://secunia.com/advisories/about_secunia_advisories/ | Trust: 0.1 |
CREDITS
Amir Azam, Richard Brain
Trust: 0.9
SOURCES
| db: | VULHUB | id: | VHN-40932 |
| db: | BID | id: | 36537 |
| db: | BID | id: | 80431 |
| db: | JVNDB | id: | JVNDB-2009-005014 |
| db: | PACKETSTORM | id: | 81711 |
| db: | CNNVD | id: | CNNVD-200910-075 |
| db: | NVD | id: | CVE-2009-3486 |
LAST UPDATE DATE
2025-04-10T23:06:56.618000+00:00
SOURCES UPDATE DATE
| db: | VULHUB | id: | VHN-40932 | date: | 2009-10-05T00:00:00 |
| db: | BID | id: | 36537 | date: | 2009-09-29T16:40:00 |
| db: | BID | id: | 80431 | date: | 2009-09-30T00:00:00 |
| db: | JVNDB | id: | JVNDB-2009-005014 | date: | 2012-09-25T00:00:00 |
| db: | CNNVD | id: | CNNVD-200910-075 | date: | 2009-10-05T00:00:00 |
| db: | NVD | id: | CVE-2009-3486 | date: | 2025-04-09T00:30:58.490 |
SOURCES RELEASE DATE
| db: | VULHUB | id: | VHN-40932 | date: | 2009-09-30T00:00:00 |
| db: | BID | id: | 36537 | date: | 2009-09-22T00:00:00 |
| db: | BID | id: | 80431 | date: | 2009-09-30T00:00:00 |
| db: | JVNDB | id: | JVNDB-2009-005014 | date: | 2012-09-25T00:00:00 |
| db: | PACKETSTORM | id: | 81711 | date: | 2009-09-29T12:47:23 |
| db: | CNNVD | id: | CNNVD-200910-075 | date: | 2009-09-30T00:00:00 |
| db: | NVD | id: | CVE-2009-3486 | date: | 2009-09-30T15:30:00.500 |