-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Cassio, On Thu, Mar 15, 2007 at 05:41:31PM -0000, cassio (at) mail (dot) com [email concealed] wrote: > What: cross-site scripting (XSS) vulnerability in the online help > system distributed with several Cisco products > > Release Date: 03-15-2007 > > Application: 14 different applications verified by Cisco > up to now. For a complete list of affected products see > http://www.cisco.com/warp/public/707/cisco-sr-20070315-xss.shtml > > Vendor status: Replicated and verified by Cisco Systems, patch available. > > Overview: > > There exists a cross site scripting in Cisco VPN client in the search > engine of the HTML help file. The result is that when a specially > crafted search is performed, arbitrary code running with current > logged user privilege can be executed on the host in question. > > Details: > > Cisco online help provides an HTML based search feature. During my > investigation it was discovered that a specially crafted query can > lead to script execution despite of attempts to cleanse user input by > eliminating special characters such as ?<>;:? from the begging and > end of the search string as observed on the HTML code. > > The result is script code execution in the local user context in the > host. Preliminary tests concluded the system is vulnerable with most > popular web browsers such as Microsoft Internet Explorer 7.0 and > Mozilla Firefox 2.0 fully patched. > > User intervention (e.g. clicking on a malicious link) is necessary to > trigger the exploit. Thanks for bringing this issue to our attention; we confirm your findings. This online help system is actually used by several Cisco products so in addition to the Cisco VPN Client, where you originally found this problem on, the following products are also affected: - ---------------------------------------------------------------------- * Cisco Secure Access Control Server (ACS) for Windows version 4.1 and Cisco Secure ACS Solution Engine version 4.1. Cisco Bug ID CSCsh91761. * Cisco VPN Client. Cisco Bug ID CSCsh52300. * Cisco Unified Personal Communicator. Cisco Bug ID CSCsh91884. * Cisco MeetingPlace and Cisco Unified MeetingPlace, end-user and Admin help systems. Cisco Bug ID CSCsi12435. * Cisco Unified MeetingPlace Express, end-user and Admin help systems. Cisco Bug ID CSCsh91901. * Cisco CallManager. Cisco Bug ID CSCsi10405. * Cisco IP Communicator. Cisco Bug ID CSCsh91953. * Cisco Unified Video Advantage (formerly Cisco VT Advantage). Cisco Bug ID CSCsh93070. * Cisco Unified Videoconferencing 3545 System, Cisco Unified Videoconferencing 3540 Series Videoconferencing System, Cisco Unified Videoconferencing 3515 MCU, Cisco Unified Videoconferencing 3527 PRI Gateway, Cisco Unified Videoconferencing 3526 PRI Videoconferencing Gateway, and Cisco Unified Videoconferencing Manager. Cisco Bug ID CSCsh93854. * Cisco WAN Manager (CWM). Cisco Bug ID CSCek71039. * Cisco Security Device Manager. Cisco Bug ID CSCsh95009. * Cisco Network Analysis Module (NAM) for Catalyst 6500 series switches and Cisco 7600 series routers, and for modular IOS routers. Cisco Bug ID CSCsi10818. * CiscoWorks and all products that integrate with CiscoWorks. Cisco Bug ID CSCsi10674. Affected CiscoWorks-related products include: - Management Center for IPS Sensors - Security Monitor - CiscoWorks LAN Management Solution - Router Management Essentials - Common Services - Device Fault Manager - CiscoView - Internetwork Performance Monitor (IPM) - Campus Manager * Cisco Wireless LAN Solution Engine (WLSE). Cisco Bug ID CSCsi10982. * Cisco 2006 Wireless LAN Controllers (WLC). Cisco Bug ID CSCsi13743. * Cisco Wireless Control System (WCS). Cisco Bug ID CSCsi13763. - ---------------------------------------------------------------------- Our investigation into affected products is still on-going. We will make any necessary updates to the response we have posted to cisco.com at the following URL: http://www.cisco.com/warp/public/707/cisco-sr-20070315-xss.shtml In some cases it is possible to eliminate the vulnerability by removing or renaming the files PreSearch.html and PreSearch.class (if they exist - - they can be found using the operating system's file search feature.) Please note that this workaround is not applicable to appliances and other products where direct access to the file system is not available, and that by removing or renaming these files it will no longer be possible to search the product's online help contents. We also have a companion document that provides additional information on Cross-Site Scripting (XSS) attacks and the methods used to exploit them. This document, a Cisco Applied Intelligence Response titled "Understanding Cross-Site Scripting (XSS) Threat Vectors", is available at: http://www.cisco.com/warp/public/707/cisco-air-20060922-understanding-xs s.shtml We are not aware of any malicious use of this vulnerability. This issue was also reported to us by Erwin Paternotte from Fox-IT, just five days apart. Erwin's report was on the Cisco CallManager. We would like to thank you both for bringing this issue to our attention and for working with us towards coordinated disclosure of the issue. Cheers, - -- Eloy Paris Product Security Incident Response Team (PSIRT) Cisco Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF+YvuagjTfAtNY9gRAkV4AKCN9wPgg4aODT0u+gZAz+SQw02xfACeNu9I /rUXLAWxJliZKsFLtdArelo= =pTwJ -----END PGP SIGNATURE-----