Is IronPort.com capable of delivering exploits through cross-site scripting?

Written by DP

Tuesday, 8 June 2010

UPDATE: this was fixed on June 9, very fast!

The answer is "YES". Security researcher nicknamed "Hexspirit", has submitted to the archive a cross-site scripting vulnerability on an IronPort.com SSL - and supposedly "secure" - support page. Even if the XSS attack vector gets executed only via a POST request, an attacker could still exploit this security issue to infect innocent users and Cisco IronPort's customers and partners with malware, adware and spyware.

IronPort.com (SSL page) XSS Mirror:

http://www.xssed.com/mirror/67151/

Click here to execute the XSS with WhiteAcid's XSS post forwarder.

Screenshot:

Based on your own words, I would say practice what you preach:

"IronPort's web reputation filters are protecting users from known and unknown exploits (including adware, Trojans, systemmonitors, keyloggers, malicious/ tracking cookies, browser hijackers, browser helper objects and phishing attacks) delivered through cross-site scripting (XSS), cross-site request forgery, SQL injections or invisible iFrames."

References:

http://www.ironport.com/pdf/ironport_threat_prevention_with_advanced_reputation_filters.pdf

http://blog.portswigger.net/2007/03/exploiting-xss-in-post-requests.html