CiscoWorks Input Validation Hole in Login Page Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID: 1019043|
SecurityTracker URL: http://securitytracker.com/id/1019043
(Links to External Site)
Date: Dec 5 2007
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): Common Services 3.0.x, 3.1|
A vulnerability was reported in CiscoWorks. A remote user can conduct cross-site scripting attacks.|
The login page does not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the CiscoWorks software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
The vendor was notified on September 24, 2007.
Cisco has assigned Cisco bug ID CSCsk69289 to this vulnerability.
CiscoWorks Common Management Foundation is not affected.
CiscoWorks products that do not use CiscoWorks Common Services are not affected.
Dave Lewis of Liquidmatrix.org reported this vulnerability.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the CiscoWorks software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.|
The vendor has issued a patch, available at:|
The Cisco advisory is available at:
Vendor URL: www.cisco.com/warp/public/707/cisco-sr-20071205-cw.shtml (Links to External Site)
Input validation error|
|Underlying OS: UNIX (Solaris - SunOS), Windows (2000), Windows (2003)|
Source Message Contents
Subject: Advisory: Cross Site Scripting in CiscoWorks|
December 5th, 2007
Name: Cross Site Scripting in CiscoWorks
Release Date: 05 December 2007
Discover: Dave Lewis
Systems Affected: CiscoWorks version 2.6 (as tested)
All prior builds are affected
Discovered: 20 August 2007
Reported: 24 September 2007
Fixed: 5 November 2007
Patch Release: 5 December 2007
Published: 5 December 2007
The initial CiscoWorks login page is susceptible to XSS attack.
Impact: attackers could execute XSS attacks that can harvest session
cookies and usernames/passwords.
The application allows users to perform certain actions via HTTP requests
without performing any validity checks to
verify the request. Input is not properly sanitized before being returned
to the user. This can be exploited to execute arbitrary HTML and script
code in a user's browser session.
This issue has now been resolved.
The patch may be obtained from:
I would like to thank Cisco for their prompt and professional response to
Liquidmatrix Security Digest
2255B Queen Street East