Full Disclosure mailing list archives
Reflected XSS vulnerabilities in DELL SonicWALL GMS 7.2 Build: 7221.1701 (CVE-2014-5024)
From: William Costa <william.costa () gmail com>
Date: Tue, 22 Jul 2014 14:59:20 -0300
I. VULNERABILITY ------------------------- Reflected XSS vulnerabilities in DELL SonicWALL GMS 7.2 Build: 7221.1701 II. BACKGROUND ------------------------- Dell® SonicWALL® provides intelligent network security and data protection solutions that enable customers and partners to dynamically secure, control, and scale their global networks. III. DESCRIPTION ------------------------- Has been detected a Reflected XSS vulnerability in DELL SonicWALL GMS. The code injection is done through the parameter "node_id" in the page “/sgms/panelManager?level=1&typeOfUnits=2&node_name=GlobalView&node_id=(HERE XSS)” IV. PROOF OF CONCEPT ------------------------- The application does not validate the parameter “node_ID” correctly. https://10.200.210.222:8443/sgms/panelManager?level=1&typeOfUnits=2&node_name=GlobalView&node_id=aaaaaaa'</script><body onload=alert(document.cookie)>&panelidz=0,4#tabs-4 V. BUSINESS IMPACT ------------------------- An attacker can execute arbitrary HTML or script code in a targeted user's browser, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser allowing Cookie Theft/Session Hijacking, thus enabling full access the box. VI. SYSTEMS AFFECTED ------------------------- Tested DELL SonicWALL Analyzer v7.2 (build 7220.1700) VII. SOLUTION ------------------------- https://support.software.dell.com/product-notification/128245 By William Costa william.costa () gmail com _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Reflected XSS vulnerabilities in DELL SonicWALL GMS 7.2 Build: 7221.1701 (CVE-2014-5024) William Costa (Jul 22)