<<< Date Index >>>     <<< Thread Index >>>

XSS vulnerability in the online help system of several Cisco products



What: cross-site scripting (XSS) vulnerability in the online help system 
distributed with several Cisco products
Release Date: 03-15-2007
Application: 14 different applications verified by Cisco up to now. For a 
complete list of affected products see 
http://www.cisco.com/warp/public/707/cisco-sr-20070315-xss.shtml
Vendor status: Replicated and verified by Cisco Systems, patch available.


Overview: 

        There exists a cross site scripting in Cisco VPN client in the search 
engine of the HTML help file. The result is that when a specially crafted 
search is performed, arbitrary code running with current logged user privilege 
can be executed on the host in question.


Details: 

        Cisco online help provides an HTML based search feature. During my 
investigation it was discovered that a specially crafted query can lead to 
script execution despite of attempts to cleanse user input by eliminating 
special characters such as ?<>;:? from the begging and end of the search string 
as observed on the HTML code.

        The result is script code execution in the local user context in the 
host. Preliminary tests concluded the system is vulnerable with most popular 
web browsers such as Microsoft Internet Explorer 7.0 and Mozilla Firefox 2.0 
fully patched.

        User intervention (e.g. clicking on a malicious link) is necessary to 
trigger the exploit.

Vendor Response:

        The above vulnerability was addressed by Cisco Systems and a patch is 
available. For details see 
http://www.cisco.com/warp/public/707/cisco-sr-20070315-xss.shtml 

Recommendation:

        Apply the patch supplied by Cisco Systems to your organization?s 
software maintenance test and deployment procedures.