John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com -----Original Message----- From: E M [mailto:[EMAIL PROTECTED]] Sent: Friday, May 17, 2002 8:56 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Sonicwall SOHO Content Blocking Script Injection, LogFile Denial of Service This advisory may be reproduced unmodified. Sonicwall SOHO Content Blocking Script Injection and Logfile DoS Test Unit : Sonicwall SOHO3 Firmware version: 6.3.0.0 ROM version: 5.0.1.0 Severity : Medium Issue : Sonicwall Allows administrators to block websites based on a user entered list of domains. These websites are blocked whenever they accessed by clients on the LAN interface. By passing a blocked URL injected script the attacker may execute scripts automatically when the logfile is viewed. The below example uses a commonly blocked ad server, please note this must be in your blocked sites list and that any site that is blocked will work fine. bannerserver.gator.com/<SCRIPT>window.location.href="http://www.offroadw arehouse.com";</SCRIPT> This will be injected into the logfile, when an Admin attempts to view the log files they will be automatically redirected to the site of your choice. Note that any <SCRIPT> is executed, for the example I show redirection as a means of Denial of Service. Resolution : Only after rebooting the unit will you gain access to the logfiles, the log is cleared on each reboot, thus you will be unable to locate the user on the LAN segment who initiated the attack. Mitigating Factors : This attack must come from the Lan interface, which means that it is not remotely exploitable, this conclusion may be false but will be tested further. Author : Eric McCarty [EMAIL PROTECTED] _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com --- [This E-mail scanned for viruses by Declude/F-Prot AV] =================================================================================================== To unsubscribe, send email to [EMAIL PROTECTED] In the body of the email put the following: unsubscribe sonicwall your_name The archive of this list is at http://www.mail-archive.com/sonicwall%40peake.com/
