CVE-2019-25385
📋 TL;DR
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains a reflected cross-site scripting vulnerability in the outgoing.cgi endpoint. Attackers can inject malicious JavaScript via MACHINE and MACHINECOMMENT parameters in POST requests, potentially stealing session cookies and authentication tokens. Organizations using this specific Smoothwall Express version are affected.
💻 Affected Systems
- Smoothwall Express
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full administrative access to the Smoothwall firewall, reconfigure firewall rules, intercept all network traffic, and compromise internal systems.
Likely Case
Attackers steal user session cookies through phishing links, hijack authenticated sessions, and perform unauthorized actions within the Smoothwall interface.
If Mitigated
Attackers can execute JavaScript in victim browsers but cannot steal cookies if HttpOnly flags are set, limiting impact to UI manipulation.
🎯 Exploit Status
Exploit code is publicly available on Exploit-DB (ID 46333). Attack requires user interaction (clicking malicious link) but no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update10 or later
Vendor Advisory: http://www.smoothwall.org
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download and install Smoothwall Express 3.1-SP4-polar-x86_64-update10 or later from smoothwall.org. 3. Restart the Smoothwall system. 4. Verify the fix by testing the outgoing.cgi endpoint.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rules
linuxDeploy WAF rules to block XSS payloads in MACHINE and MACHINECOMMENT parameters
ModSecurity rule: SecRule ARGS:MACHINE "@rx <script" "id:1001,phase:2,deny,status:403,msg:'XSS attempt in MACHINE parameter'"
ModSecurity rule: SecRule ARGS:MACHINECOMMENT "@rx <script" "id:1002,phase:2,deny,status:403,msg:'XSS attempt in MACHINECOMMENT parameter'"
Input Validation Filter
linuxAdd input sanitization to outgoing.cgi script to strip HTML/JavaScript from parameters
Edit /httpd/cgi-bin/outgoing.cgi
Add: $machine =~ s/[<>"']//g;
Add: $machinecomment =~ s/[<>"']//g;
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to block inline script execution
- Deploy network segmentation to isolate Smoothwall management interface from user networks
🔍 How to Verify
Check if Vulnerable:
Send POST request to /cgi-bin/outgoing.cgi with payload: MACHINE=<script>alert('XSS')</script>&MACHINECOMMENT=test. If JavaScript executes, system is vulnerable.Check Version:
cat /var/smoothwall/main/version | grep -i smoothwallVerify Fix Applied:
Repeat the vulnerable test after patching. JavaScript should not execute and input should be properly sanitized.📡 Detection & Monitoring
Log Indicators:
- POST requests to /cgi-bin/outgoing.cgi containing <script> tags in parameters
- Unusual parameter values in outgoing.cgi access logs
Network Indicators:
- HTTP requests with JavaScript payloads in POST body to Smoothwall management interface
SIEM Query:
source="smoothwall.logs" AND url_path="/cgi-bin/outgoing.cgi" AND (http_method="POST" AND (body="*<script>*" OR body="*javascript:*"))