OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Lisa Napier (lnapiercisco.com)
Date: Thu Jun 20 2002 - 21:15:50 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi Dave,

    Thank you for posting this information. The defect ID's for Cisco
    customers who wish to track this issue via the Cisco Bug toolkit on our
    website are: CSCdx88709 and CSCdx88715 for both affected release versions.

    Thank you,

    Lisa Napier
    Product Security Incident Response Team
    Cisco Systems

    At 01:39 PM 6/14/2002, Dave Palumbo wrote:
    >sMax. Security Advisory
    >-------------------------------
    >
    >Title: Cross-Site Scripting in CiscoSecure ACS v3.0
    >Date: June 14, 2002
    >
    >PRODUCT AFFECTED:
    >
    >CiscoSecure ACS v3.0 (Win32)
    >
    >PRODUCT OVERVIEW:
    >
    >CiscoSecure ACS is Cisco's implementation of RADIUS.
    >v3.0 is the current release of the product. Taken
    >from their website: "Cisco Secure ACS provides
    >authentication, authorization, and accounting
    >(AAA—pronounced "triple A") services to network
    >devices that function as AAA clients, such as a
    >network access server, PIX Firewall, or router."
    >
    >VULNERABILITY:
    >
    >Testing CiscoSecure ACS v3.0(1), Build 40 reveals a
    >cross-site scripting problem in the web server
    >component. Specifically, the "action" argument that
    >the setup.exe handler uses does not appear to do
    >proper input validation. Other arguments were not
    >tested, though they may be vulnerable as well.
    >
    >Proof-of-concept:
    >http://IP.ADD.RE.SS:dyn_port/setup.exe?action=>alert('foo+bar')</script>&page=list_users&user=P*
    >(URL may wrap)
    >
    >Obviously one needs to already be authenticated to the
    >ACS web server for this to successfully be carried
    >out.
    >
    >SOLUTION:
    >
    >Follow best practices, don't make the web component of
    >ACS server available over the Internet.
    >
    >Cisco was contacted on May 21st. They have committed
    >to fixing this in the next release of the software,
    >due out in "mid to late summer".
    >
    >- Dave Palumbo
    >
    >
    >__________________________________________________
    >Do You Yahoo!?
    >Yahoo! - Official partner of 2002 FIFA World Cup
    >    http://fifaworldcup.yahoo.com

    -----BEGIN PGP MESSAGE-----
    Version: PGP 7.0

    iQA/AwUBPRKMVrcv5Ae3LK8fEQJ4NQCg5yVjZ12Nd+I1KcBhcHo0AxTQZZwAn30m
    pyT8o6xP4n/+9SWvKlsXPY31
    =kLKr
    -----END PGP MESSAGE-----