Cisco Secure Access Control Server (ACS) Input Validation Flaw Lets Remote Users Conduct Cross-site Scripting Attacks Against ACS Administrators
SecurityTracker Alert ID: 1004546|
SecurityTracker URL: http://securitytracker.com/id/1004546
(Links to External Site)
Date: Jun 15 2002
Disclosure of authentication information, Execution of arbitrary code via network, User access via network|
Exploit Included: Yes |
Version(s): 3.0(1), Build 40|
An input validation vulnerability was reported in Cisco Secure ACS RADIUS implementation. A remote user can conduct cross-site scripting attacks against administrators.|
It is reported that the web server component of Cisco Secure ACS does not properly filter user-supplied input from the 'action' argument in the setup.exe handler. The report indicates that other arguments may also be affected but were not tested.
A remote user can create a URL that, when loaded by a Cisco Secure ACS administrator, will cause arbitrary scripting code to be executed by the administrator's browser. The code will appear to originate from the ACS web server and will run in the security context of that site. As a result, the code may be able to access the administrator's authentication cookies associated with that site (i.e., the ACS web interface) or to take actions on the web interface acting as the administrator.
A demonstration exploit URL is provided:
For the exploit to be effective, the target ACS administrator must already be logged into the application.
The vendor has reportedly been notified.
A remote user may be able to cause arbitrary scripting code to be executed on a Cisco Secure ACS administrator's browser to steal the administrator's authentication cookies and gain access to the administrator's ACS account.|
No solution was available at the time of this entry.|
The vendor has reportedly indicated that this will be fixed in the next release of the software, due out in "mid to late summer."
Vendor URL: www.cisco.com/warp/public/cc/pd/sqsw/sq/ (Links to External Site)
Input validation error|
|Underlying OS: Windows (Any)|
Source Message Contents
Subject: XSS in CiscoSecure ACS v3.0|
sMax. Security Advisory
Title: Cross-Site Scripting in CiscoSecure ACS v3.0
Date: June 14, 2002
CiscoSecure ACS v3.0 (Win32)
CiscoSecure ACS is Cisco's implementation of RADIUS.
v3.0 is the current release of the product. Taken
from their website: "Cisco Secure ACS provides
authentication, authorization, and accounting
devices that function as AAA clients, such as a
network access server, PIX Firewall, or router."
Testing CiscoSecure ACS v3.0(1), Build 40 reveals a
cross-site scripting problem in the web server
component. Specifically, the "action" argument that
the setup.exe handler uses does not appear to do
proper input validation. Other arguments were not
tested, though they may be vulnerable as well.
(URL may wrap)
Obviously one needs to already be authenticated to the
ACS web server for this to successfully be carried
Follow best practices, don't make the web component of
ACS server available over the Internet.
Cisco was contacted on May 21st. They have committed
to fixing this in the next release of the software,
due out in "mid to late summer".
- Dave Palumbo
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup