CVE-2019-25415
📋 TL;DR
Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability in the hotspot_permanent_users endpoint. Attackers can inject malicious JavaScript via the MACADDRESSES parameter in POST requests, executing arbitrary scripts in users' browsers. Organizations using Comodo Dome Firewall 2.7.0 are affected.
💻 Affected Systems
- Comodo Dome Firewall
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, hijack firewall management sessions, and gain full administrative control of the firewall to modify rules, exfiltrate network data, or pivot to internal networks.
Likely Case
Attackers trick authenticated administrators into clicking malicious links, stealing session tokens to perform unauthorized firewall configuration changes or data theft.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized, preventing execution while maintaining endpoint functionality.
🎯 Exploit Status
Exploitation requires the attacker to trick an authenticated user into clicking a malicious link. Public exploit code is available on Exploit-DB (ID 46408).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.8.0 or later
Vendor Advisory: https://cdome.comodo.com/firewall/
Restart Required: Yes
Instructions:
1. Log into Comodo Dome Firewall management interface. 2. Navigate to System > Updates. 3. Check for available updates. 4. Install version 2.8.0 or later. 5. Restart the firewall service as prompted.
🔧 Temporary Workarounds
Input Validation Filter
allImplement input validation to sanitize MACADDRESSES parameter values, rejecting any containing JavaScript or HTML tags.
Not applicable - requires custom web application firewall rules or code modification
Content Security Policy
allImplement strict Content Security Policy headers to prevent inline script execution and restrict script sources.
Add 'Content-Security-Policy: script-src 'self'' to HTTP responses
🧯 If You Can't Patch
- Restrict access to firewall management interface to trusted IP addresses only using network ACLs.
- Implement web application firewall rules to block POST requests containing JavaScript patterns in the MACADDRESSES parameter.
🔍 How to Verify
Check if Vulnerable:
Test by sending a POST request to /hotspot_permanent_users with MACADDRESSES parameter containing <script>alert('XSS')</script> and checking if script executes in response.Check Version:
ssh admin@firewall-ip 'show version' or check System > About in web interfaceVerify Fix Applied:
After patching, repeat the test above - script should be properly encoded and not execute. Check that version is 2.8.0 or later.📡 Detection & Monitoring
Log Indicators:
- POST requests to /hotspot_permanent_users with MACADDRESSES parameter containing script tags or JavaScript keywords
- Multiple failed authentication attempts followed by successful login
Network Indicators:
- Unusual outbound connections from firewall management interface
- HTTP requests with JavaScript payloads in POST parameters
SIEM Query:
source="firewall_logs" AND uri_path="/hotspot_permanent_users" AND (http_method="POST" AND (param="MACADDRESSES" AND value CONTAINS "<script>" OR value CONTAINS "javascript:"))