[ISN] Security flaw threatens Cisco Web site

From: InfoSec News (isnat_private)
Date: Fri Dec 20 2002 - 02:14:17 PST

  • Next message: InfoSec News: "[ISN] Firewall installed to prevent hacking"

    By Patrick Gray, ZDNet Australia
    19 December 2002
    Securiteam.com, an online security portal, have found a Cross-Site
    Scripting (XSS) vulnerability in the cisco.com Web site, according to
    an advisory.
    "The vulnerability would allow attackers to cause users to view
    third-party malicious JavaScript or HTML code as if it were the
    legitimate content offered by Cisco," the advisory said.
    XSS vulnerabilities are at their most serious when user logins are
    involved. They may in some circumstances make it possible for an
    attacker to "steal" a user’s session information, potentially allowing
    them to login as the victim user.
    It is not known if Cisco, which does have a client login function on
    their Web site, is vulnerable to this extent.
    "Session theft" attack types are not very easy to carry out, and must
    be directed at the user of the affected site, not the site itself.
    The Cisco Web site login function allows users to "…place and manage
    orders for Cisco networking products and services via the Internet".
    Logged in customers can also download versions of Cisco’s IOS software
    not normally available to the public.
    XSS vulnerabilities have become quite "in vogue" lately, with many
    security researchers focusing their efforts in detection and
    elimination of the security problem.
    The recently held hacking competition, OpenHack IV, dished out US$500
    to a single entrant, Jeremy Poteet, who found XSS vulnerabilities in
    the application being tested, which was engineered by Oracle.
    Cisco were unable to comment at the time of writing.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Dec 20 2002 - 20:08:09 PST