Document Title: =============== SonicWall Aventail v7.2.16 - Multiple Web Vulnerabilities References (Source): ==================== CNNVD-201112-148 Release Date: ============= 2011-11-17 Vulnerability Laboratory ID (VL-ID): ==================================== 286 Product & Service Introduction: =============================== When managing secure remote access, administrators needs to be able to know precisely who accessed what resources, from where and when. SonicWALL® Aventail® Advanced Reporting delivers a robust hierarchical log analysis tool that enables IT to track and evaluate all remote user access to an organization’s resources over a SonicWALL Aventail E-Class Secure Remote Access (SRA) appliance. Designed with all the configurability and power needed to generate and customize reports to meet enterprise-class IT and user requirements, Advanced Reporting allows IT to also automate repetitive functions such as updating databases and generating key reports. (Copy of the Vendor Homepage: Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered multiple persistent input validation vulnerabilities on SonicWalls Aventail Advanced Reporting application. Vulnerability Disclosure Timeline: ================================== 2011-04-22: Vendor Notification 2011-09-05: Vendor Response/Feedback 2011-**-**: Vendor Fix/Patch 2011-11-18: Public or Non-Public Disclosure Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ Multiple persistent input validation vulnerabilities are detected on Sonicwalls Aventail Advanced reporting application. The vulnerability allows an remote attacker or local low privileged user account to inject persistent script code like JS/HTML. Successful exploitation can result in session hijacking, phishing & persistent content manipulation. Vulnerable Module(s): [+] Logout URL [+] Temporary folder URL; CGI folder [+] Index Username Output Affected Version(s): Aventail Advanced Reporting - aar7.2.16_x64 - windows Aventail Advanced Reporting - aar7.2.16_x86 - linux-es4 Aventail Advanced Reporting - aar7.2.16_x86 - linux-es5 Aventail Advanced Reporting - aar7.2.16_x64 - linux-es4 Aventail Advanced Reporting - aar7.2.16_x64 - linux-es5 Picture(s): ../1.png ../2.png ../3.png ../4.png ../5.png ../6.png Proof of Concept (PoC): ======================= The vulnerability can be exploited by remote attackers with required user inter action or by local low privileged user accounts. For demonstration or reproduce ... Review: Logout URL ?????Logout URL:>"????? ... or ?????Logout URL:>"????? Review: Temporary folder URL ?????Temporary folder URL:>"????? Review: Index output ?????css/sidebar.css" rel="stylesheet" type="text/css" />