Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtPedro Andujar1337DAY-ID-21168
HistoryAug 27, 2013 - 12:00 a.m.

Cisco Ironport Cross Site Request Forgery / Cross Site Scripting

2013-08-2700:00:00
Pedro Andujar
0day.today
32

0.001 Low

EPSS

Percentile

48.6%

JSON

Cisco IronPort Security Management Appliance M170 version 7.9.1-030 suffers from cross site scripting and cross site request forgery vulnerabilities.

Tittle:   Cisco IronPort Security Management Appliance - Multiple issues
    Risk:   Medium
    Date:   20.May.2013
  Author:   Pedro Andujar
 Twitter:   @pandujar

              
.: [ INTRO ] :.


The Cisco Security Management Appliance helps to enable flexible management and comprehensive security control 
at the network gateway. Is a central platform for managing all policy, reporting, and auditing information 
for Cisco web and email security appliances.


.: [ TECHNICAL DESCRIPTION ] :.

Cisco IronPort Security Management Appliance M170 v7.9.1-030 (and probably other products), are prone to several security issues 
as described below;


.: [ ISSUE #1 }:.

Name: Reflected Cross Site Scripting
Severity: Low 
CVE: CVE-2013-3396

There is a lack of output escaping in the default error 500 page. When a exception occurs in the application, the error
description contains user unvalidated input from the request:

** PoC removed as requested by Cisco. **


.: [ ISSUE #2 }:.

Name: Stored Cross Site Scripting
Severity: Medium

Due to a lack of input validation on job_name, job_type, appliances_options and config_master parameters which are then 
printed unscapped on job_name, old_job_name, job_type, appliance_lists and config_master fields.


** PoC removed as requested by Cisco. **


.: [ ISSUE #3 }:.

Name: CSRF Token is not used
Severity: Low
CVE: CVE-2013-3395

CSRFKey is not used in some areas of the application, which make even easier to exploit Reflected XSS Issues. In the /report area 
of the application, we got no error even when completely removing the parameter CSRFKey; 

** PoC removed as requested by Cisco. **

See: http://tools.cisco.com/security/center/viewAlert.x?alertId=29844

.: [ ISSUE #4 }:.

Name: Lack of password obfuscation
Severity: Low

When exporting the configuration file even if you mark the "mask password" option, the SNMPv3 password still appears in cleartext.


.: [ CHANGELOG ] :.

  * 20/May/2013:   - Vulnerability found.
  * 27/May/2013:   - Vendor contacted.
  * 11/Jul/2013:   - Public Disclosure


.: [ SOLUTIONS ] :.

Thanks to Stefano De Crescenzo (Cisco PSIRT Team), because of his professional way of managing the entire process.

Stored XSS
CSCuh24755

Reflected XSS
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-3396

SNMP password issue
CSCuh27268, CSCuh70314

CSRF
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-3395

#  0day.today [2018-04-13]  #

Related

packetstorm 1
openvas 1
cve 2
prion 2
nvd 2
cisco 1
cvelist 2
packetstorm
packetstorm
Cisco Ironport Cross Site Request Forgery / Cross Site Scripting
2013-08-26 00:00:00
openvas
openvas
Cisco Content Security Management Appliance XSS and CSRF Vulnerabilities
2013-09-04 00:00:00
cve
cve
CVE-2013-3395
2022-10-03 16:14:45
CVE-2013-3396
2013-06-26 21:55:01
prion
prion
Cross site request forgery (csrf)
2013-07-02 03:43:00
Cross site scripting
2013-06-26 21:55:00
nvd
nvd
CVE-2013-3395
2013-07-02 03:43:34
CVE-2013-3396
2013-06-26 21:55:01
cisco
cisco
Cisco Content Filtering Devices Cross-Site Request Forgery Vulnerability
2013-07-01 12:44:06
cvelist
cvelist
CVE-2013-3395
2022-10-03 16:14:45
CVE-2013-3396
2013-06-26 21:00:00

0.001 Low

EPSS

Percentile

48.6%

JSON
Related for 1337DAY-ID-21168
packetstorm1openvas1cve2prion2nvd2cisco1cvelist2