Two XSS on Blue Coat ProxySG Management Console

Hey, no one ever claimed that Blue Coat was secure. Here you go:

From: <>
Date: 1 Nov 2007 17:20:04 -0000
(‘binary’ encoding is not supported, stored as-is) PR07-29: Two XSS on Blue Coat ProxySG Management Console

Vulnerability found: 23 July 2007

Vendor informed: 20 August 2007

Vulnerability fixed: 29 October 2007

Advisory publicly released: 1 November 2007

Severity: Medium


Blue Coat SG400 is vulnerable to a couple of XSS holes.

Vulnerable server-side script / unfiltered parameter: ‘/Secure/Local/console/install_upload_action/crl_format’ / ‘name’

Vulnerable server-side script / unfiltered parameter: ‘/Secure/Local/console/install_upload_from_file.htm’ / ‘file’


The admin user needs to be authenticated (HTTP basic authentication) for the injected JavaScript to run.

Successfully tested on:

Model: Blue Coat SG400
Software SGOS
Software Release ID: 25173

Proof of concept #1:


Injected payload:


Proof of concept #2:


Injected payload:


A neat payload to inject instead of a alert() box would be a phishing attack which would forward the username and password to a third-party site (the code could be inserted from a third-party site).


do {
        a=prompt(“Blue Coat SG400: an error has occurred\nPlease enter your USERNAME”,””);
        b=prompt(“Blue Coat SG400: an error has occurred\nPlease enter your PASSWORD”,””);
}while(a==null || b==null || a==”” || b==””);



An attacker may be able to cause execution of malicious scripting code in the browser of a Blue Coat SG400 admin who clicks on a link to a Blue Coat ProxySG Management Console. Such code would run within the context of the target domain.

This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e.: basic auth credentials stolen through a phishing attack as described in the Proof of Concept) to unauthorised third parties.

Fixed in:,


Credits: Adrian Pastor from ProCheckUp Ltd (
Received on Nov 01 2007



Thomas W Shinder, M.D.


Email: [email protected]

MVP — Microsoft Firewalls (ISA)

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top