XSS in CiscoSecure ACS v3.0
From: Dave Palumbo (dpalumbo@yahoo.com)Date: 06/14/02
- Previous message: § o m e 1: "Mewsoft Auction, PHP Classifieds and eFax.com - CrossSiteScripting issues"
- Next in thread: Lisa Napier: "Re: XSS in CiscoSecure ACS v3.0"
- Reply: Lisa Napier: "Re: XSS in CiscoSecure ACS v3.0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 14 Jun 2002 13:39:44 -0700 (PDT) From: Dave Palumbo <dpalumbo@yahoo.com> To: bugtraq@securityfocus.com
sMax. Security Advisory
-------------------------------
Title: Cross-Site Scripting in CiscoSecure ACS v3.0
Date: June 14, 2002
PRODUCT AFFECTED:
CiscoSecure ACS v3.0 (Win32)
PRODUCT OVERVIEW:
CiscoSecure ACS is Cisco's implementation of RADIUS.
v3.0 is the current release of the product. Taken
from their website: "Cisco Secure ACS provides
authentication, authorization, and accounting
(AAA—pronounced "triple A") services to network
devices that function as AAA clients, such as a
network access server, PIX Firewall, or router."
VULNERABILITY:
Testing CiscoSecure ACS v3.0(1), Build 40 reveals a
cross-site scripting problem in the web server
component. Specifically, the "action" argument that
the setup.exe handler uses does not appear to do
proper input validation. Other arguments were not
tested, though they may be vulnerable as well.
Proof-of-concept:
Obviously one needs to already be authenticated to the
SOLUTION:
Follow best practices, don't make the web component of
Cisco was contacted on May 21st. They have committed
- Dave Palumbo
__________________________________________________
http://IP.ADD.RE.SS:dyn_port/setup.exe?action=
(URL may wrap)
ACS web server for this to successfully be carried
out.
ACS server available over the Internet.
to fixing this in the next release of the software,
due out in "mid to late summer".
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com
