_________________________________________
Security Advisory
_________________________________________
_________________________________________

  Severity: Medium
  Title: SonicWALL SSL-VPN 200 Cross-Site Scripting Vulnerability
  Date: 13.09.2006 / Update: 03.07.2007
  Author: Nikolas Sotiriu (nsotiriu (at) sotiriu (dot) de)
  Vendor: SonicWALL (http://www.sonicwall.com)
  Affected Products: SonicWALL SSL-VPN 200 1.5.0.x (maybe older)
  Not Affected Products: SonicWALL SSL-VPN 200 >= 2.0.0.1 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Description:
------------

The "err" variable of the Login Page is not correctly checked for
<iframe> tags. It is possible to embed HTML into the SSL-VPN Login
Page. This could potentially allow XSS attacks to be performed
against a valid User or Admin account. 

Many other Tags (like <script>) are correctly filtered. 


POC:
----

https://<ssl-vpn200>/cgi-bin/welcome?err=<iframe>XSS</iframe>



Analysis:
---------

Phishing of Username and Password could be possible



Vendor Response:
----------------

Version 2.0.0.1 Release Notes:

46043: Symptom: It is possible to embed <iframe> HTML tags into the
SSL-VPN login page. Condition: Can occur if someone embeds <iframe>
tags into the SSL-VPN login page.



Disclosure Timeline:
--------------------

2006.08.02 - Vulnerability found (no time to report until now *sorry*)
2006.10.25 - Vulnerability reported to vendor
2007.01.16 - Vulnerability Patched by vender (Version 2.0.0.1)
2007.07.03 - Public Disclosure