Check Point Connectra R62 Login Script Injection Vulnerability
scip AG Vulnerability ID 4020 (09/04/2009)
Check Point Connectra is a so-called SSL-VPN solution, which allows
users to access a remote system using a regular web browser.
More information is available on the official product web site at the
Stefan Friedli at scip AG (Switzerland) found an input validation error
within the current release, which enabled an attacker to perform various
The initial logon script at /Login/Login, that is being used for
unauthenticated users to log in, fails to perform proper input
validation on the data that is being submitted via HTTP POST. While
certain fields are escaped before being sent back to users browser, the
parameter "vpid_prefix" lacks any validation and is therefore vulnerable
to script injection.
Other parts of the application might be affected too.
This vulnerability has been tested on version R62, other versions might
be affected as well.
Classic script injection techniques and unexpected input data within a
browser session can be used to exploit these vulnerabilities. The target
application does actually check for certain patterns and prevents an
attacker from using easy exploiting strings containing substrings like
be an imperfect mechanism that is unable to prevent an attack using a
more sophisticated payload. For a selection, you might want to check
RSnakes popular XSS Cheat Sheet, which contains several patterns not
being detected by the filter in place, allowing you execute any
arbitrary, externally hosted payload.
We exploited the vulnerability for a customer in order to proof the
possibility to capture usernames and passwords. One of the possibilities
mentioned above is, to embed a remote flash file and grant it the
permission to execute script code.
Vulnerable Variable Value:
vpid_prefix = ">