[25912] in bugtraq
Re: XSS in CiscoSecure ACS v3.0
daemon@ATHENA.MIT.EDU (Lisa Napier)
Fri Jun 21 19:11:55 2002
Message-Id: <4.3.2.7.2.20020620143404.027e5618@twoguys>
Date: Thu, 20 Jun 2002 19:15:50 -0700
To: Dave Palumbo <dpalumbo@yahoo.com>, bugtraq@securityfocus.com
From: Lisa Napier <lnapier@cisco.com>
In-Reply-To: <20020614203944.35711.qmail@web9503.mail.yahoo.com>
Mime-Version: 1.0
Content-Type: multipart/signed;
boundary="---------====---==-====--==---=--==--===---=---=";
protocol="application/pgp-signature"; micalg=pgp-sha1
-----------====---==-====--==---=--==--===---=---=
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format=flowed
Content-Transfer-Encoding: quoted-printable
Hi Dave,
Thank you for posting this information. The defect ID's for Cisco=20
customers who wish to track this issue via the Cisco Bug toolkit on our=20
website are: CSCdx88709 and CSCdx88715 for both affected release versions.
Thank you,
Lisa Napier
Product Security Incident Response Team
Cisco Systems
At 01:39 PM 6/14/2002, Dave Palumbo wrote:
>sMax. Security Advisory
>-------------------------------
>
>Title: Cross-Site Scripting in CiscoSecure ACS v3.0
>Date: June 14, 2002
>
>PRODUCT AFFECTED:
>
>CiscoSecure ACS v3.0 (Win32)
>
>PRODUCT OVERVIEW:
>
>CiscoSecure ACS is Cisco's implementation of RADIUS.
>v3.0 is the current release of the product. Taken
>from their website: "Cisco Secure ACS provides
>authentication, authorization, and accounting
>(AAA=97pronounced "triple A") services to network
>devices that function as AAA clients, such as a
>network access server, PIX Firewall, or router."
>
>VULNERABILITY:
>
>Testing CiscoSecure ACS v3.0(1), Build 40 reveals a
>cross-site scripting problem in the web server
>component. Specifically, the "action" argument that
>the setup.exe handler uses does not appear to do
>proper input validation. Other arguments were not
>tested, though they may be vulnerable as well.
>
>Proof-of-concept:
>http://IP.ADD.RE.SS:dyn_port/setup.exe?action=3D<script>alert('foo+bar')</s=
cript>&page=3Dlist_users&user=3DP*
>(URL may wrap)
>
>Obviously one needs to already be authenticated to the
>ACS web server for this to successfully be carried
>out.
>
>SOLUTION:
>
>Follow best practices, don't make the web component of
>ACS server available over the Internet.
>
>Cisco was contacted on May 21st. They have committed
>to fixing this in the next release of the software,
>due out in "mid to late summer".
>
>- Dave Palumbo
>
>
>__________________________________________________
>Do You Yahoo!?
>Yahoo! - Official partner of 2002 FIFA World Cup
>http://fifaworldcup.yahoo.com
-----------====---==-====--==---=--==--===---=---=
Content-Type: application/pgp-signature
-----BEGIN PGP MESSAGE-----
Version: PGP 7.0
iQA/AwUBPRKMVrcv5Ae3LK8fEQJ4NQCg5yVjZ12Nd+I1KcBhcHo0AxTQZZwAn30m
pyT8o6xP4n/+9SWvKlsXPY31
=kLKr
-----END PGP MESSAGE-----
-----------====---==-====--==---=--==--===---=---=--
