Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Dave Palumbo (dpalumboyahoo.com)
Date: Fri Jun 14 2002 - 15:39:44 CDT
sMax. Security Advisory
Title: Cross-Site Scripting in CiscoSecure ACS v3.0
Date: June 14, 2002
CiscoSecure ACS v3.0 (Win32)
CiscoSecure ACS is Cisco's implementation of RADIUS.
v3.0 is the current release of the product. Taken
from their website: "Cisco Secure ACS provides
authentication, authorization, and accounting
(AAA—pronounced "triple A") services to network
devices that function as AAA clients, such as a
network access server, PIX Firewall, or router."
Testing CiscoSecure ACS v3.0(1), Build 40 reveals a
cross-site scripting problem in the web server
component. Specifically, the "action" argument that
the setup.exe handler uses does not appear to do
proper input validation. Other arguments were not
tested, though they may be vulnerable as well.