Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Cross-Site Scripting vulnerability in Juniper NetScreen 5GT Antivirus HTTP Engine (supersedes PSN-2004-06-009)

0

0

Article ID: JSA10329 SECURITY_ADVISORIES Last Updated: 09 May 2013Version: 4.0
Legacy Advisory Id:
PSN-2004-06-011
Product Affected:
Juniper NetScreen 5GT firewalls running ScreenOS 5.0.0r1 - 5.0.0r7
Problem:
The antivirus scan engine in the Juniper Networks NetScreen 5GT firewall is susceptible to an HTTP cross-site scripting vulnerability.
When a user downloads Internet content using a Web browser, the antivirus scan engine scans the contents for viruses. If the file is a zip archive, the scan engine examines the member files within the archive. When a virus is detected, the user is presented with a virus notification dialog containing the name of the infected archive member. If an attacker manually crafts a zip archive containing a virus-infected file with a specially formatted filename, the notification dialog could present a cross-site scripting vulnerability.
Solution:
The antivirus scan engine has been modified to remove this vulnerability.
Implementation:
Upgrade to ScreenOS 5.0.0r8, which fixes this issue. Customers unable to upgrade to 5.0.0r8 at this time can disable HTTP protocol scanning in the Scan Manager.
Severity Level:
Medium

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search