CVE-2019-25378
📋 TL;DR
This CVE describes multiple cross-site scripting vulnerabilities in Smoothwall Express 3.1's proxy.cgi endpoint. Attackers can inject malicious JavaScript through proxy configuration parameters, which executes in users' browsers when accessing the proxy configuration page. Organizations running the affected Smoothwall Express version are vulnerable.
💻 Affected Systems
- Smoothwall Express
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack sessions, redirect users to malicious sites, or perform actions on behalf of authenticated users, potentially leading to full system compromise.
Likely Case
Attackers would typically steal session cookies or credentials to gain unauthorized access to the Smoothwall administrative interface.
If Mitigated
With proper input validation and output encoding, the malicious scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires authentication to access the proxy configuration page. Public exploit code is available in Exploit-DB.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update10 or later
Vendor Advisory: http://www.smoothwall.org
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Apply Smoothwall Express update10 or later from official repository. 3. Restart the Smoothwall service. 4. Verify the fix by checking version.
🔧 Temporary Workarounds
Input Validation Filter
linuxImplement input validation to sanitize proxy configuration parameters before processing.
Modify /usr/lib/smoothwall/proxy.cgi to add parameter validation
Web Application Firewall
allDeploy WAF rules to block XSS payloads targeting proxy.cgi parameters.
🧯 If You Can't Patch
- Restrict access to proxy configuration page to trusted IP addresses only.
- Implement Content Security Policy headers to mitigate script execution.
🔍 How to Verify
Check if Vulnerable:
Test by submitting POST requests to proxy.cgi with script payloads in CACHE_SIZE, MAX_SIZE, MIN_SIZE, MAX_OUTGOING_SIZE, or MAX_INCOMING_SIZE parameters and check if scripts execute.Check Version:
cat /var/smoothwall/main/versionVerify Fix Applied:
After patching, repeat the vulnerability test to confirm scripts no longer execute.📡 Detection & Monitoring
Log Indicators:
- POST requests to proxy.cgi with script tags or JavaScript in parameter values
- Unusual access patterns to proxy configuration page
Network Indicators:
- HTTP requests containing <script> tags or JavaScript functions in proxy.cgi parameters
SIEM Query:
source="web_access.log" AND uri="*/proxy.cgi" AND (param="CACHE_SIZE" OR param="MAX_SIZE" OR param="MIN_SIZE" OR param="MAX_OUTGOING_SIZE" OR param="MAX_INCOMING_SIZE") AND (content="<script>" OR content="javascript:")