Hi Dave, Thank you for posting this information. The defect ID's for Cisco customers who wish to track this issue via the Cisco Bug toolkit on our website are: CSCdx88709 and CSCdx88715 for both affected release versions. Thank you, Lisa Napier Product Security Incident Response Team Cisco Systems At 01:39 PM 6/14/2002, Dave Palumbo wrote: >sMax. Security Advisory >------------------------------- > >Title: Cross-Site Scripting in CiscoSecure ACS v3.0 >Date: June 14, 2002 > >PRODUCT AFFECTED: > >CiscoSecure ACS v3.0 (Win32) > >PRODUCT OVERVIEW: > >CiscoSecure ACS is Cisco's implementation of RADIUS. >v3.0 is the current release of the product. Taken >from their website: "Cisco Secure ACS provides >authentication, authorization, and accounting >(AAA—pronounced "triple A") services to network >devices that function as AAA clients, such as a >network access server, PIX Firewall, or router." > >VULNERABILITY: > >Testing CiscoSecure ACS v3.0(1), Build 40 reveals a >cross-site scripting problem in the web server >component. Specifically, the "action" argument that >the setup.exe handler uses does not appear to do >proper input validation. Other arguments were not >tested, though they may be vulnerable as well. > >Proof-of-concept: >http://IP.ADD.RE.SS:dyn_port/setup.exe?action=<script>alert('foo+bar')</script>&page=list_users&user=P* >(URL may wrap) > >Obviously one needs to already be authenticated to the >ACS web server for this to successfully be carried >out. > >SOLUTION: > >Follow best practices, don't make the web component of >ACS server available over the Internet. > >Cisco was contacted on May 21st. They have committed >to fixing this in the next release of the software, >due out in "mid to late summer". > >- Dave Palumbo > > >__________________________________________________ >Do You Yahoo!? >Yahoo! - Official partner of 2002 FIFA World Cup >http://fifaworldcup.yahoo.com
Attachment:
pgp00158.pgp
Description: PGP signature
