Cisco Systems Cross Site Scripting

` _____ .___ _________  
/ _ \ | |/ _____/  
/ /_\ \| |\_____ \  
/ | \ |/ \  
\____|__ /___/_______ /  
\/ \/ Corporation (c) 2014  
  
  
CISCO Systems Inc. Security Report  
============================================================  
  
Published Report: 19/02/2014  
  
  
Credits: Advanced Information Security Corporation, USA  
  
Severity: High/Critical (OWASP TOP 10)  
CVSS: 7.0  
  
Type: Web Application / Cross-Site Scripting Attack.  
  
  
Author: Nicholas Lemonias.   
  
  
Background  
==================================================  
Cisco Systems, Inc. is an American multinational corporation headquartered  
in San Jose, California, that designs, manufactures, and sells networking  
equipment.  
The stock was added to the Dow Jones Industrial Average on June 8, 2009,  
and is also included in the S&P 500 Index, the Russell 1000 Index,  
NASDAQ-100 Index and the Russell 1000 Growth Stock Index.  
Cisco Systems was founded in December 1984 by two members of Stanford  
University computer support staff: Leonard Bosack who was in charge of the  
computer science department's computers,  
and Sandy Lerner, who managed the Graduate School of Business' computers.  
  
  
Vulnerability Disclosure Timeline  
  
==================================================  
  
[+] 12th of August 2013 - Contacted Vendor regarding the security  
realisation.  
  
[+] 10th of September, 2013 - Vendor acknowledgement of the problem.  
  
[+] 11th of September, 2013 - Problem mitigation.  
  
  
  
Vendor Overview  
==================================================  
CISCO's Visitors, users and products entrust the vendor's website by  
default.  
  
The downloads directory in the public-facing online environment is  
therefore, vulnerable to a web application type / cross-site scripting  
vulnerability.  
  
A page in the scope of software release updates is therefore vulnerable to  
a cross-site scripting attack.  
The input variable 'release', derived as part of the cisco software  
downloads page does not filter metacharacters from user-input. This problem  
results  
in the reproduction and execution of third-party untrusted heterogeneous  
code. The user and product confidentiality, integrity and availability of  
information are impacted by this issue  
as benchmarked by security standards and best security practise (ISO/27001).  
  
  
Proof of Concept (PoC A) / Affected Services  
==================================================  
  
  
http://www.cisco.com/download/release.html?catid=268438162&mdfid=281940730&os=Windows&release=  
<script>alert(1);</script>&relind=AVAILABLE&rellifecycle=&reltype=latest&softwareid=282364316  
  
  
Affected directory/script: /download/release.html  
  
Injected Code to path fragment:  
&release=<script>alert(1);</script>&relind=AVAILABLE&rellifecycle=&reltype=lastest&softwareid=282364316  
  
  
  
  
Recommendations provided for Quality of Service  
==================================================  
A. The recommendations made to CISCO Systems Inc. were in  
good faith, and in support of quality of service and best security  
practice.  
  
The technical recommendations made are therefore, the consideration of  
cryptographic methods for the view-state of the application.  
  
Furthermore the implementation of a stronger Cross-Site Scripting protection.  
  
XSS filtering was not properly applied, and meta character  
filtering permitted data input over the HTTP protocol,  
and the ability to inject third-party heterogeneous code.  
  
  
  
  
B. Our consultation to CISCO Systems Inc was therefore for an immediate  
risk assessment and thus to immediate review upper-level security policies in  
accord to best security practices.   
  
This was followed kindly by the Cisco   
team.   
  
We also consulted the vendor for a full review of the ISMS policy scope, and  
revisitation of SDLC, for other subsidiary pages.  
  
  
The information is often gathered in the form of a hyperlink.   
The hyperlink could be disseminated either through email, social networking websites, forums  
or other online sources.   
  
A malicious adversary could take advantage  
of this vulnerability, for the mass exploitation of unsuspected users.   
A malicious user can use defects in the encoding methods, so that the payload is further obfuscated.  
  
Appendices  
==================================================  
  
A. Suggested the filtering of meta characters.  
B. Suggested the use of User-server encoding.  
C. An XSS attack could embrace mass user and product attacks, phishing;  
theft of private and confidential information such as credit cards,  
passwords, and stored accounts.  
  
  
  
References  
==================================================  
  
[1] OWASP. 2013. Cross Site Scripting (XSS) attacks, [ONLINE]  
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS), 2011  
[2] OWASP. 2013. XSS Filter Evasion Cheat-Sheet, [ONLINE]  
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet?, 2013.  
  
[3] Microsoft. 2011. Protecting against XSS attacks. [ONLINE] Available at:  
http://msdn.microsoft.com/en-us/library/ff649310.aspx.  
  
  
  
** This vulnerability report is posted for the wider benefit of the  
security community, as is and without any warranties, including that of the  
warranty of merchantability and capability fit for a particular purpose.  
The information is posted under the FOI as per best security practice.  
  
  
[Copyright Advanced Information Security Corp ©, 2014]  
  
`