ProCheckUp has reported a weakness and some vulnerabilities in Check Point UTM-1 Edge and Safe@Office, which can be exploited by malicious people to conduct cross-site scripting, request forgery, and spoofing attacks and disclose sensitive information.

1) Input passed via the "url" parameter to pub/ufp.html (when "mask" and "swpreview" are set) and the "sw__custom" parameter to diag_command.html (when "sw__ver" and "swdata" are set) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) The WebUI allows users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests. This can be exploited to perform script insertion attacks if a user visits a specially crafted web page.

3) Input passed via the "swcaller" parameter to e.g. 12/ is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.

4) The application does not restrict access to the /pub/test.html script, which can be exploited to disclose the patch level, license information, and MAC addresses.

The weakness and the vulnerabilities are reported in versions prior to 8.2.44.

Solution
Update to version 8.2.44.
Further details available to Secunia VIM customers

Provided and/or discovered by
Richard Brain, ProCheckUp.

Changelog
Further details available to Secunia VIM customers

Original Advisory
Checkpoint (sk65460):
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk65460

ProCheckUp:
http://procheckup.com/procheckup-labs/pr11-07.aspx

Deep Links
Links available to Secunia VIM customers