SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Generic)  >   Cisco Online Help System Vendors:   Cisco
Cisco Online Help System Input Validation Hole Permits Cross-Site Scripting Attacks Against Several Cisco Products
SecurityTracker Alert ID:  1017778
SecurityTracker URL:  http://securitytracker.com/id/1017778
CVE Reference:   CVE-2007-1467   (Links to External Site)
Updated:  Apr 11 2007
Original Entry Date:  Mar 15 2007
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Cisco Online Help System. A remote user can conduct cross-site scripting attacks. Several Cisco products include this vulnerable component.

The 'PreSearch.html' and 'PreSearch.class' scripts do not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Cisco Online Help System software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The online help system component is included in numerous Cisco products, including the following products (with the relevant Cisco Bug ID numbers listed):

* Cisco Secure Access Control Server (ACS) for Windows and Cisco
Secure ACS Solution Engine. All 4.x versions (Cisco Bug ID CSCsh91761)

* Cisco VPN Client (Cisco Bug ID CSCsh52300)

* Cisco Unified Personal Communicator (Cisco Bug ID CSCsh91884)

* Cisco MeetingPlace and Cisco Unified MeetingPlace, end-user and Admin help
systems (Cisco Bug ID CSCsi12435)

* Cisco Unified MeetingPlace Express, end-user and Admin help systems (Cisco
Bug ID CSCsh91901)

* Cisco CallManager (Cisco Bug ID CSCsi10405)

* Cisco IP Communicator (Cisco Bug ID CSCsh91953)

* Cisco Unified Video Advantage, formerly Cisco VT Advantage (Cisco Bug ID
CSCsh93070)

* Cisco Unified Videoconferencing 3545 System, Cisco Unified
Videoconferencing 3540 Series Videoconferencing System, Cisco Unified
Videoconferencing 3515 MCU, Cisco Unified Videoconferencing 3527 PRI
Gateway, Cisco Unified Videoconferencing 3526 PRI Videoconferencing
Gateway, and Cisco Unified Videoconferencing Manager (Cisco Bug ID
CSCsh93854)

* Cisco WAN Manager (CWM) (Cisco Bug ID CSCek71039)

* Cisco Security Device Manager (Cisco Bug ID CSCsh95009)

* Cisco Network Analysis Module (WS-SVC-NAM-1 and WS-SVC-NAM-2) for Catalyst
6500 series switches and Cisco 7600 series routers (Cisco Bug ID CSCsi10818)

* CiscoWorks and all products that integrate with CiscoWorks (Cisco Bug ID
CSCsi10674), including:

+ Management Center for IPS Sensors
+ Security Monitor
+ CiscoWorks LAN Management Solution
+ Router Management Essentials
+ Common Services
+ Device Fault Manager
+ CiscoView
+ Internetwork Performance Monitor (IPM)
+ Campus Manager

* Cisco Wireless LAN Solution Engine (WLSE) (Cisco Bug ID CSCsi10982)

* Cisco 2006 Wireless LAN Controllers (WLC) (Cisco Bug ID CSCsi13743)

* Cisco Wireless Control System (WCS) (Cisco Bug ID CSCsi13763)

* VPN 3000 Series Concentrators (Cisco Bug ID CSCsi47620)

Cisco credits Erwin Paternotte from Fox-IT and Cassio Goldschmidt with independently reporting this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Cisco Online Help System software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The Cisco advisory is available at:

http://www.cisco.com/warp/public/707/cisco-sr-20070315-xss.shtml

[Editor's note: The Cisco Security Response does not indicate whether patches are available or not.]

Vendor URL:  www.cisco.com/warp/public/707/cisco-sr-20070315-xss.shtml (Links to External Site)
Cause:   Input validation error

Message History:   None.


 Source Message Contents

Subject:  Cisco Security Response: Cross-Site Scripting Vulnerability in Online Help System

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Cisco Security Response: 
Cross-Site Scripting Vulnerability in Online Help System

http://www.cisco.com/warp/public/707/cisco-sr-20070315-xss.shtml

Revision 1.0

For Public Release 2007 March 15 1700 UTC (GMT)

- -------------------------------------------------------------------------

Cisco Response
==============

A cross-site scripting (XSS) vulnerability in the online help system
distributed with several Cisco products has been independently reported to
Cisco by Erwin Paternotte from Fox-IT and by Cassio Goldschmidt.

The vulnerability would allow an attacker to execute arbitrary scripting code
in a user's web browser if the attacker is successful in enticing the user to
follow a specially crafted, malicious URL.

Multiple Cisco products are affected because the vulnerable online help system
is used by several Cisco products.

This response is posted at 
http://www.cisco.com/warp/public/707/cisco-sr-20070315-xss.shtml

Additional Information
======================

The vulnerability exists specifically in the content search feature of the
online help system. This feature allows the user to search for specific
keywords in the help contents. The search feature is implemented through an
HTML form and scripting code.

The vulnerability exists because the search code in the file PreSearch.html (or
in the file PreSearch.class, depending of the product) fails to properly
sanitize all of the user's input.

The vulnerability is triggered when a search keyword that includes scripting
code enclosed by <script> and </script> tags is entered in the text field of
the search form. In some cases, the initial text is sanitized, but further text
is not, so scripting code after the initial text can also trigger the
vulnerability. 
For example: "some text <script>alert('I am a script')</script>".

User intervention is required for an attacker to be able to successfully
exploit this vulnerability: an attacker must be able to trick a user into
following a malicious, specially crafted, URL. In some cases, the user must be
authenticated to the web interface offered by the product for management or
regular use.

The following Cisco products are affected by this vulnerability (all versions
are affected unless a specific version is explicitely mentioned):

  * Cisco Secure Access Control Server (ACS) for Windows version 4.1 and Cisco
    Secure ACS Solution Engine version 4.1. Cisco Bug ID CSCsh91761 

  * Cisco VPN Client. Cisco Bug ID CSCsh52300 

  * Cisco Unified Personal Communicator. Cisco Bug ID CSCsh91884 

  * Cisco MeetingPlace and Cisco Unified MeetingPlace, end-user and Admin help
    systems. Cisco Bug ID CSCsi12435 

  * Cisco Unified MeetingPlace Express, end-user and Admin help systems. Cisco
    Bug ID CSCsh91901 

  * Cisco CallManager. Cisco Bug ID CSCsi10405 

  * Cisco IP Communicator. Cisco Bug ID CSCsh91953 

  * Cisco Unified Video Advantage (formerly Cisco VT Advantage). Cisco Bug ID
    CSCsh93070 

  * Cisco Unified Videoconferencing 3545 System, Cisco Unified
    Videoconferencing 3540 Series Videoconferencing System, Cisco Unified
    Videoconferencing 3515 MCU, Cisco Unified Videoconferencing 3527 PRI
    Gateway, Cisco Unified Videoconferencing 3526 PRI Videoconferencing
    Gateway, and Cisco Unified Videoconferencing Manager. Cisco Bug ID
    CSCsh93854 

  * Cisco WAN Manager (CWM). Cisco Bug ID CSCek71039 

  * Cisco Security Device Manager. Cisco Bug ID CSCsh95009 

  * Cisco Network Analysis Module (NAM) for Catalyst 6500 series switches and
    Cisco 7600 series routers, and for modular IOS routers. Cisco Bug ID
    CSCsi10818 

  * CiscoWorks and all products that integrate with CiscoWorks. Cisco Bug ID
    CSCsi10674 

    Affected CiscoWorks-related products include:

      + Management Center for IPS Sensors
      + Security Monitor
      + CiscoWorks LAN Management Solution
      + Router Management Essentials
      + Common Services
      + Device Fault Manager
      + CiscoView
      + Internetwork Performance Monitor (IPM)
      + Campus Manager

  * Cisco Wireless LAN Solution Engine (WLSE). Cisco Bug ID CSCsi10982 

  * Cisco 2006 Wireless LAN Controllers (WLC). Cisco Bug ID CSCsi13743 

  * Cisco Wireless Control System (WCS). Cisco Bug ID CSCsi13763 

In some cases it is possible to eliminate the vulnerability by removing or
renaming the files PreSearch.html and PreSearch.class (if they exist - use your
operating system's file search feature to locate them.) Please note that this
workaround is not applicable to appliances and other products where direct
access to the file system is not available, and that by removing or renaming
these files it will no longer be possible to search the product's online help
contents.

For additional information on Cross-Site Scripting (XSS) attacks and the
methods used to exploit these vulnerabilities, please refer to the Cisco
Applied Intelligence Response "Understanding Cross-Site Scripting (XSS) Threat
Vectors", available at:

http://www.cisco.com/warp/public/707/cisco-air-20060922-understanding-xss.shtml

The Cisco PSIRT is not aware of any malicious use of the vulnerability
described in this document.

This issue was independently reported to Cisco by Erwin Paternotte from Fox-IT
and by Cassio Goldschmidt. The original reports were for the Cisco CallManager
and for the Cisco VPN Client, respectively. Further investigation revealed a
number of additional affected products. We would like to thank Erwin
Paternotte, Fox-IT, and Cassio Goldschmidt for bringing this issue to our
attention and for working with us towards coordinated disclosure of the issue.

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF
GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS
LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO
CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

Revision History
================

+---------------------------------------------------------------------+
| Revision |               | Initial public release in coordination   |
| 1.0      | 2007-March-15 | with Erwin Paternotte from Fox-IT and    |
|          |               | with Cassio Goldschmidt.                 |
+---------------------------------------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering
to receive security information from Cisco, is available on Cisco's
worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go /psirt.

- -----------------------------------------------------------------------------
All contents are Copyright 2006-2007 Cisco Systems, Inc. All rights reserved.
- -----------------------------------------------------------------------------

Updated: Mar 15, 2007                                        Document ID: 82421

- -----------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFF+YXg8NUAbBmDaxQRAiGbAJ9rmm2liqco3ghbP28eX+YFJCuHGwCfW14f
MmttxQPKVWGFhLCoaZNQyPQ=
=PSV6
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC