Re: XSS in CiscoSecure ACS v3.0

From: Lisa Napier (lnapierat_private)
Date: Thu Jun 20 2002 - 19:15:50 PDT

Next message: Kevin Spett: "Re: ISS Apache Advisory Response"

Previous message: Thomas Reinke: "Re: ISS Apache Advisory Response"
In reply to: Dave Palumbo: "XSS in CiscoSecure ACS v3.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Dave,

Thank you for posting this information.  The defect ID's for Cisco 
customers who wish to track this issue via the Cisco Bug toolkit on our 
website are: CSCdx88709 and CSCdx88715 for both affected release versions.

Thank you,

Lisa Napier
Product Security Incident Response Team
Cisco Systems

At 01:39 PM 6/14/2002, Dave Palumbo wrote:
>sMax. Security Advisory
>-------------------------------
>
>Title:  Cross-Site Scripting in CiscoSecure ACS v3.0
>Date:   June 14, 2002
>
>PRODUCT AFFECTED:
>
>CiscoSecure ACS v3.0 (Win32)
>
>PRODUCT OVERVIEW:
>
>CiscoSecure ACS is Cisco's implementation of RADIUS.
>v3.0 is the current release of the product.  Taken
>from their website: "Cisco Secure ACS provides
>authentication, authorization, and accounting
>(AAA—pronounced "triple A") services to network
>devices that function as AAA clients, such as a
>network access server, PIX Firewall, or router."
>
>VULNERABILITY:
>
>Testing CiscoSecure ACS v3.0(1), Build 40 reveals a
>cross-site scripting problem in the web server
>component.  Specifically, the "action" argument that
>the setup.exe handler uses does not appear to do
>proper input validation.  Other arguments were not
>tested, though they may be vulnerable as well.
>
>Proof-of-concept:
>http://IP.ADD.RE.SS:dyn_port/setup.exe?action=>alert('foo+bar')</script>&page=list_users&user=P*
>(URL may wrap)
>
>Obviously one needs to already be authenticated to the
>ACS web server for this to successfully be carried
>out.
>
>SOLUTION:
>
>Follow best practices, don't make the web component of
>ACS server available over the Internet.
>
>Cisco was contacted on May 21st.  They have committed
>to fixing this in the next release of the software,
>due out in "mid to late summer".
>
>- Dave Palumbo
>
>
>__________________________________________________
>Do You Yahoo!?
>Yahoo! - Official partner of 2002 FIFA World Cup
>http://fifaworldcup.yahoo.com

application/pgp-signature attachment: stored

Next message: Kevin Spett: "Re: ISS Apache Advisory Response"
Previous message: Thomas Reinke: "Re: ISS Apache Advisory Response"
In reply to: Dave Palumbo: "XSS in CiscoSecure ACS v3.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 15:48:38 PDT