XSS vulnerability in the online help system of several Cisco products
What: cross-site scripting (XSS) vulnerability in the online help system
distributed with several Cisco products
Release Date: 03-15-2007
Application: 14 different applications verified by Cisco up to now. For a
complete list of affected products see
http://www.cisco.com/warp/public/707/cisco-sr-20070315-xss.shtml
Vendor status: Replicated and verified by Cisco Systems, patch available.
Overview:
There exists a cross site scripting in Cisco VPN client in the search
engine of the HTML help file. The result is that when a specially crafted
search is performed, arbitrary code running with current logged user privilege
can be executed on the host in question.
Details:
Cisco online help provides an HTML based search feature. During my
investigation it was discovered that a specially crafted query can lead to
script execution despite of attempts to cleanse user input by eliminating
special characters such as ?<>;:? from the begging and end of the search string
as observed on the HTML code.
The result is script code execution in the local user context in the
host. Preliminary tests concluded the system is vulnerable with most popular
web browsers such as Microsoft Internet Explorer 7.0 and Mozilla Firefox 2.0
fully patched.
User intervention (e.g. clicking on a malicious link) is necessary to
trigger the exploit.
Vendor Response:
The above vulnerability was addressed by Cisco Systems and a patch is
available. For details see
http://www.cisco.com/warp/public/707/cisco-sr-20070315-xss.shtml
Recommendation:
Apply the patch supplied by Cisco Systems to your organization?s
software maintenance test and deployment procedures.