CiscoSecure ACS Arbitrary File Access

2002-04-16T00:00:00
ID OSVDB:5352
Type osvdb
Reporter Patrik Karlsson(patrik.karlsson@ixsecurity.com), Jonas Ländin(jonas.landin@ixsecurity.com)
Modified 2002-04-16T00:00:00

Description

Vulnerability Description

Cisco SecureACS for Windows <= (2.6 and 3.0.1 build 40) contains a flaw that allows a remote attacker to access data outside of the web path. The issue is due to the program not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the URL.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Cisco has released a patch to address this vulnerability.

Short Description

Cisco SecureACS for Windows <= (2.6 and 3.0.1 build 40) contains a flaw that allows a remote attacker to access data outside of the web path. The issue is due to the program not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the URL.

References:

Vendor Specific Advisory URL Vendor Specific Advisory URL Mail List Post: http://www.securityfocus.com/archive/1/265594 Keyword: Directory Traversal Keyword: CSCdx17698 Keyword: ACS Keyword: Access Control Server Keyword: TCP Port 2002 Keyword: CSCdx17689 CVE-2002-0160