Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Clientless SSL VPN products break web browser domain-based security models - CERT #261869

danielson_
Not applicable
‎12-07-2009 08:58:AM
‎12-07-2009 08:58:AM

Clientless SSL VPN products break web browser domain-based security models - CERT #261869

Has anyone heard Juniper advice or done any mitigiation on this they can share? TIA

"By convincing a user to view a specially crafted web page, a remote attacker may be able to obtain VPN session tokens and read or modify content (including cookies, script, or HTML content) from any site accessed through the clientless SSL VPN. This effectively eliminates same origin policy restrictions in all browsers. For example, the attacker may be able to capture keystrokes while a user is interacting with a web page. Because all content runs at the privilege level of the web VPN domain, mechanisms to provide domain-based content restrictions, such as Internet Explorer security zones and the Firefox add-on NoScript, may be bypassed. For additional information about impacts, please see CERT Advisory CA-2000-02 . "

http://www.kb.cert.org/vuls/id/261869

0 Kudos
Reply
1 REPLY 1
cbarcellos_
Regular Contributor
‎12-07-2009 09:26:AM
‎12-07-2009 09:26:AM

Re: Clientless SSL VPN products break web browser domain-based security models - CERT #261869

danielson: http://kb.pulsesecure.net/KB15799 has the information you are looking for. A PSN email was also sent out on this issue.
0 Kudos
Reply
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.