Date: 15 Mar 2007 17:41:31 -0000
From: [email protected]
To: [email protected]Subject: XSS vulnerability in the online help system of several Cisco products
X-Virus-Scanned: antivirus-gw at tyumen.ru
What: cross-site scripting (XSS) vulnerability in the online help system distributed with several Cisco products
Release Date: 03-15-2007
Application: 14 different applications verified by Cisco up to now. For a complete list of affected products see http://www.cisco.com/warp/public/707/cisco-sr-20070315-xss.shtml
Vendor status: Replicated and verified by Cisco Systems, patch available.
Overview:
There exists a cross site scripting in Cisco VPN client in the search engine of the HTML help file. The result is that when a specially crafted search is performed, arbitrary code running with current logged user privilege can be executed on the host in question.
Details:
Cisco online help provides an HTML based search feature. During my investigation it was discovered that a specially crafted query can lead to script execution despite of attempts to cleanse user input by eliminating special characters such as “<>;:” from the begging and end of the search string as observed on the HTML code.
The result is script code execution in the local user context in the host. Preliminary tests concluded the system is vulnerable with most popular web browsers such as Microsoft Internet Explorer 7.0 and Mozilla Firefox 2.0 fully patched.
User intervention (e.g. clicking on a malicious link) is necessary to trigger the exploit.
Vendor Response:
The above vulnerability was addressed by Cisco Systems and a patch is available. For details see http://www.cisco.com/warp/public/707/cisco-sr-20070315-xss.shtml
Recommendation:
Apply the patch supplied by Cisco Systems to your organization’s software maintenance test and deployment procedures.