Related information

Directory traversal and format string bug in Cisco Secure ACS

iXsecurity.20020314. csadmin_fmt.a

Security Advisory: Web interface vulnerabilities in ACS for Windows

From:	Patrik Karlsson <patrik.karlsson_(at)_ixsecurity.com>
Date:	04.04.2002
Subject:	iXsecurity.20020316.csadmin_dir.a

iXsecurity Security Vulnerability Report
No: iXsecurity.20020316.csadmin_dir.a
========================================

Vulnerability Summary
---------------------
Problem:                Cisco Secure ACS webserver has a directory
traversal
                       issue.

Threat:                 An attacker could retrieve any html, htm, class,
                       jpg, jpeg or gif file outside of the webroot.

Affected Software:      Cisco Secure ACS 2.6.X and 3.0.1 (build 40).

Platform:               Windows NT/2000.

Solution:               Install the patch from Cisco.

Vulnerability Description
-------------------------
Cisco Secure ACS has a webserver interface listening on port 2002.
It is possible for a logged in user to read files outside the webdirectory.
After a succesfull login, one could supply eg.
http://<ip>:<dynamicport>/..\..\..\..\..\..
\temp\temp.class to read the
contents
of the file temp.class in the folder temp on the same volume that the
software
is installed.

Solution
--------
Cisco PSIRT can confirm this vulnerability. The Security Advisory
was published and it is at
http://www.cisco.com/warp/public/707/ACS-Win-Web.shtml
Only Cisco ACS for Windows is affected. The Unix version is not
affected by these issues. You can download patches by following
instructions in the Advisory.

Additional Information
----------------------
Cisco was contacted 20020316.


This vulnerability was found and researched by
Jonas L&auml;ndin, jonas.landin@ixsecurity.com
Patrik Karlsson, patrik.karlsson@ixsecurity.com