[NEWS] SonicWALL SOHO Content Blocking Script Injection and Logfile DoS

From: support@securiteam.com
Date: 05/18/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sat, 18 May 2002 23:09:24 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  SonicWALL SOHO Content Blocking Script Injection and Logfile DoS
------------------------------------------------------------------------

SUMMARY

 <http://www.sonicwall.com/products/soho/index.html> SonicWALL SOHO is a
comprehensive and affordable Internet security solution for small offices
with limited network experience. A security vulnerability in the product
allows attackers to insert JavaScript code into the log file that is later
viewed in its HTML format, thus causing it to be automatically executed.

DETAILS

Vulnerable systems:
SonicWALL SOHO3 Firmware version: 6.3.0.0, ROM version: 5.0.1.0

SonicWALL allows administrators to block websites based on a user provided
list of domains. These websites are blocked whenever they accessed by
clients on the LAN interface.

By passing a blocked URL with an injected script, an attacker may cause an
unsuspecting viewer (usually an administrator) to execute JavaScript
whenever he views logfile.

The below example uses a commonly blocked ad server, please note this must
be in your blocked sites list.

bannerserver.gator.com/<SCR!PT>window.location.href="http://www.offroadwarehouse.com";</SCRIPT>
(NOTE, the letter i has been replaced with !)

This will be injected into the logfile, when an administrator (or whoever
views the logs) attempts to view the log files they will be automatically
redirected to the site of your choice.

Resolution:
Only after rebooting the unit will you gain access to the log files, the
log is cleared on each reboot, thus you will be unable to locate the user
on the LAN segment who initiated the attack.

Mitigating Factors:
This attack must come from the LAN interface, which means that it is not
remotely exploitable.

ADDITIONAL INFORMATION

The information has been provided by <mailto:rdnktrk@hotmail.com> E M.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages