OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Dave Palumbo (dpalumboyahoo.com)
Date: Fri Jun 14 2002 - 15:39:44 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    sMax. Security Advisory
    -------------------------------

    Title: Cross-Site Scripting in CiscoSecure ACS v3.0
    Date: June 14, 2002

    PRODUCT AFFECTED:

    CiscoSecure ACS v3.0 (Win32)

    PRODUCT OVERVIEW:

    CiscoSecure ACS is Cisco's implementation of RADIUS.
    v3.0 is the current release of the product. Taken
    from their website: "Cisco Secure ACS provides
    authentication, authorization, and accounting
    (AAA—pronounced "triple A") services to network
    devices that function as AAA clients, such as a
    network access server, PIX Firewall, or router."

    VULNERABILITY:

    Testing CiscoSecure ACS v3.0(1), Build 40 reveals a
    cross-site scripting problem in the web server
    component. Specifically, the "action" argument that
    the setup.exe handler uses does not appear to do
    proper input validation. Other arguments were not
    tested, though they may be vulnerable as well.

    Proof-of-concept:
    http://IP.ADD.RE.SS:dyn_port/setup.exe?action=>alert('foo+bar')</script>&page=list_users&user=P*
    (URL may wrap)

    Obviously one needs to already be authenticated to the
    ACS web server for this to successfully be carried
    out.

    SOLUTION:

    Follow best practices, don't make the web component of
    ACS server available over the Internet.

    Cisco was contacted on May 21st. They have committed
    to fixing this in the next release of the software,
    due out in "mid to late summer".

    - Dave Palumbo

    __________________________________________________
    Do You Yahoo!?
    Yahoo! - Official partner of 2002 FIFA World Cup
    http://fifaworldcup.yahoo.com