Cisco CallManager CCMAdmin/serverlist.asp pattern Variable XSS

2007-05-23T11:33:49
ID OSVDB:35337
Type osvdb
Reporter Stefan Friedli(), Marc Ruef(maru@scip.ch)
Modified 2007-05-23T11:33:49

Description

Vulnerability Description

CallManager contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'pattern' variable upon submission to the serverlist.asp script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Upgrade to versions 3.3(5)sr3, 4.1(3)sr5, 4.2(3)sr2, 4.3(1)sr1 or higher, as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

CallManager contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'pattern' variable upon submission to the serverlist.asp script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Manual Testing Notes

https://[target]/CCMAdmin/serverlist.asp?findBy=servername&match=begins&pattern=<img%20src='http://[attacker]/scip.gif'%20style='border:%201px%20solid%20black;'>

References:

Vendor Specific Advisory URL Security Tracker: 1018105 Secunia Advisory ID:25377 Other Advisory URL: http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2977 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-05/0354.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-05/0359.html ISS X-Force ID: 34465 FrSIRT Advisory: ADV-2007-1922 CVE-2007-2832 Bugtraq ID: 24119