Cisco Secure ACS for Unix LogonProxy.cgi Multiple Variable XSS

2006-06-15T10:49:01
ID OSVDB:26531
Type osvdb
Reporter THOMAS LIAM ROMANIS(liam.romanis@uk.fujitsu.com)
Modified 2006-06-15T10:49:01

Description

Vulnerability Description

Cisco Secure ACS for Unix contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'error', 'SSL', and 'Ok' variables upon submission to the LogonProxy.cgi script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Cisco has released a patch to address this vulnerability.

Short Description

Cisco Secure ACS for Unix contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'error', 'SSL', and 'Ok' variables upon submission to the LogonProxy.cgi script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Manual Testing Notes

http://[target]/CScgi/LogonProxy.cgi?Server=0.0.0.0&error=<script>alert("help")</script>

http://[target]/CScgi/LogonProxy.cgi?Server=10.17.12.184/Logon?null&SSL=<script>alert('help')</script>

http://[target]/CScgi/LogonProxy.cgi?Ok=<script>alert('help')</script>

References:

Vendor Specific Solution URL: http://www.cisco.com/pcgi-bin/tablebuild.pl/cspatchunix-3des Vendor Specific Advisory URL Security Tracker: 1016317 Secunia Advisory ID:20699 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-06/0329.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-06/0340.html FrSIRT Advisory: ADV-2006-2384 CVE-2006-3101 Bugtraq ID: 18449