December 10th, 2007 ======= Summary ======= Name: Websense XSS Vulnerability Release Date: 10 December 2007 Reference: LSD002-2007 Discover: Dave Lewis CVE:Pending Vendor: Websense Product: Websense Enterprise and Websense Web Security Suite Systems Affected: version 6.3 (as tested) Risk: Less Critical Status: Published Reference: http://www.liquidmatrix.org/blog/2007/12/10/advisory-websense-xss-vulner ability/ ======== Time Line ======== Discovered: 8 November 2007 Reported: 8 November 2007 Fixed: 21 November 2007 Patch Release: 21 November 2007 Published: 10 December 2007 =========== Description =========== Websense Enterprise and Websense Web Security Suite contain a vulnerability in the login page is susceptible to a cross site scripting (XSS) attack. Impact: a remote attacker could execute a XSS attack that could pass arbitrary html to the user. ================= Technical Details ================= Input passed to the "username" field of the login page is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. =============== Fix Information =============== This issue has now been resolved. The patch may be obtained from: http://www.websense.com (Hotfix #80) Knowledge Base #1840 http://www.websense.com/SupportPortal/SupportKbs/1840.aspx =============================== Liquidmatrix Security Digest http://www.liquidmatrix.org/blog/ 2255B Queen Street East suite 156 Toronto, Ontario Canada M4E 1G3