SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Security)  >   SonicWALL Email Security Vendors:   SonicWALL
SonicWALL Email Security Input Validation Hole Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1019999
SecurityTracker URL:  http://securitytracker.com/id/1019999
CVE Reference:   CVE-2008-2162   (Links to External Site)
Updated:  May 13 2008
Original Entry Date:  May 9 2008
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 6.1.1
Description:   A vulnerability was reported in SonicWALL Email Security. A remote user can conduct cross-site scripting attacks.

The software does not properly filter HTML code from user-supplied input in the HTTP Host header parameter before displaying the input. A remote user can create a specially crafted request that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the SonicWALL software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Deniz Cevik reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the SonicWALL software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  sonicwall.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Thu, 8 May 2008 18:04:54 +0300
Subject:  [Full-disclosure] SonicWall e-mail security Host Header XSS

This is a multi-part message in MIME format.

--===============1826151100==
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01C8B11C.DF409954"

This is a multi-part message in MIME format.

------_=_NextPart_001_01C8B11C.DF409954
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Affected Software/Device: SonicWall E-mail Security

=20

Version: 6.1.1

=20

Vulnerability: Cross Site Scripting

=20

Risk: Low

=20

Description: SonicWALL Email Security is award-winning anti-spam,
anti-virus, anti-phishing, policy, and compliance management e-mail
protection solution. Available as a hardened appliance or as Windows
software, SonicWALL Email Security protects inbound and outbound e-mail
for organizations of less than 25 to over 100,000 users.

=20

Sonicwall web application utilizes host header for serving 404 Error
pages. The vulnerability can be exploited by requesting a non-existing
web page with a specially crafted host header. As the application does
not properly sanitize the data contained in the host header, desired
script code can be run on client browser.

=20

=20

Sample Request:

=20

GET /blah.htm HTTP/1.1

Host: "><script>alert('XSS');</script>

=20

Deniz CEVIK

www.intellectpro.com.tr


------_=_NextPart_001_01C8B11C.DF409954
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:x=3D"urn:schemas-microsoft-com:office:excel" =
xmlns:p=3D"urn:schemas-microsoft-com:office:powerpoint" =
xmlns:a=3D"urn:schemas-microsoft-com:office:access" =
xmlns:dt=3D"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" =
xmlns:s=3D"uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" =
xmlns:rs=3D"urn:schemas-microsoft-com:rowset" xmlns:z=3D"#RowsetSchema" =
xmlns:b=3D"urn:schemas-microsoft-com:office:publisher" =
xmlns:ss=3D"urn:schemas-microsoft-com:office:spreadsheet" =
xmlns:c=3D"urn:schemas-microsoft-com:office:component:spreadsheet" =
xmlns:oa=3D"urn:schemas-microsoft-com:office:activation" =
xmlns:html=3D"http://www.w3.org/TR/REC-html40" =
xmlns:q=3D"http://schemas.xmlsoap.org/soap/envelope/" xmlns:D=3D"DAV:" =
xmlns:x2=3D"http://schemas.microsoft.com/office/excel/2003/xml" =
xmlns:ois=3D"http://schemas.microsoft.com/sharepoint/soap/ois/" =
xmlns:dir=3D"http://schemas.microsoft.com/sharepoint/soap/directory/" =
xmlns:ds=3D"http://www.w3.org/2000/09/xmldsig#" =
xmlns:dsp=3D"http://schemas.microsoft.com/sharepoint/dsp" =
xmlns:udc=3D"http://schemas.microsoft.com/data/udc" =
xmlns:xsd=3D"http://www.w3.org/2001/XMLSchema" =
xmlns:sub=3D"http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/"=
 xmlns:ec=3D"http://www.w3.org/2001/04/xmlenc#" =
xmlns:sp=3D"http://schemas.microsoft.com/sharepoint/" =
xmlns:sps=3D"http://schemas.microsoft.com/sharepoint/soap/" =
xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance" =
xmlns:udcxf=3D"http://schemas.microsoft.com/data/udc/xmlfile" =
xmlns=3D"http://www.w3.org/TR/REC-html40"
xmlns:ns2=3D"http://schemas.microsoft.com/office/2004/12/omml">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<style>
<!--p.MSOBODYTEXT
	{mso-style-priority:99;}
li.MSOBODYTEXT
	{mso-style-priority:99;}
div.MSOBODYTEXT
	{mso-style-priority:99;}
a:link
	{mso-style-priority:99;}
span.MSOHYPERLINK
	{mso-style-priority:99;}
a:visited
	{mso-style-priority:99;}
span.MSOHYPERLINKFOLLOWED
	{mso-style-priority:99;}
span.BODYTEXTCHAR
	{mso-style-priority:99;}

 /* Font Definitions */
 @font-face
	{font-family:Verdana;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
	{font-family:Calibri;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
p.MsoBodyText, li.MsoBodyText, div.MsoBodyText
	{margin:0in;
	margin-bottom:.0001pt;
	text-align:justify;
	font-size:10.0pt;
	font-family:"Courier New";
	color:black;}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
span.BodyTextChar
	{font-family:Calibri;}
span.EmailStyle19
	{mso-style-type:personal;
	font-family:Arial;
	color:windowtext;}
span.charchar
	{font-family:"Courier New";
	color:black;}
span.EmailStyle21
	{mso-style-type:personal;
	font-family:Calibri;
	color:#1F497D;}
span.EmailStyle22
	{mso-style-type:personal-reply;
	font-family:Arial;
	color:navy;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext=3D"edit">
  <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'>Affected
Software/Device: SonicWall E-mail Security<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'><o:p>&nbsp;</o=
:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'>Version: =
6.1.1<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'><o:p>&nbsp;</o=
:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'>Vulnerability:=
 Cross
Site Scripting<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'><o:p>&nbsp;</o=
:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'>Risk: =
Low<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'><o:p>&nbsp;</o=
:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'>Description: =
SonicWALL
Email Security is award-winning anti-spam, anti-virus, anti-phishing, =
policy,
and compliance management e-mail protection solution. Available as a =
hardened
appliance or as Windows software, SonicWALL Email Security protects =
inbound and
outbound e-mail for organizations of less than 25 to over 100,000 =
users.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'><o:p>&nbsp;</o=
:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'>Sonicwall web
application utilizes host header for serving 404 Error pages. The =
vulnerability
can be exploited by requesting a non-existing web page with a specially =
crafted
host header. As the application does not properly sanitize the data =
contained
in the host header, desired script code can be run on client =
browser.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'><o:p>&nbsp;</o=
:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'><o:p>&nbsp;</o=
:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'>Sample =
Request:<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'><o:p>&nbsp;</o=
:p></span></font></p>

<p class=3DMsoBodyText><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana'>GET /blah.htm =
HTTP/1.1<o:p></o:p></span></font></p>

<p class=3DMsoBodyText><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana'>Host:
&quot;&gt;&lt;script&gt;alert('XSS');&lt;/script&gt;<o:p></o:p></span></f=
ont></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'><o:p>&nbsp;</o=
:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'>Deniz =
CEVIK<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'>www.intellectp=
ro.com.tr<o:p></o:p></span></font></p>

</div>

</body>

</html>

------_=_NextPart_001_01C8B11C.DF409954--


--===============1826151100==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============1826151100==--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC