|
|
|
|
| |
Credit:
The information has been provided by Matias Pablo Brutti.
The original article can be found at: http://www.coresecurity.com/content/cisco-secure-desktop-xss
|
| |
Vulnerable Systems:
* Cisco Secure Desktop 3.4.2048
Immune Systems:
* Cisco Secure Desktop 3.5.841
In order to be able to sucessfully make the attack, the Secure Desktop application on the Cisco Appliance must be turned on.
The Cisco Secure Desktop web application does not sufficiently verify if a well-formed request was provided by the user who submitted the POST request. The cross-site scripting vulnerability was found in the following file/url:
/-----
https://{IP}//+CSCOT+/translation?textdomain=csd&prefix=trans&lang=en-us
- -----/
Using the POST variable:
/-----
Starting, please wait..."><script>alert(1);</script>
- -----/
The content of the POST field is not being encoded at the time of using them in HTML output, therefore allowing an attacker who controls their content to insert JavaScript code. Furthermore, we could possibly inject JavaScript code into the 'start.html' page because the content of the previously mentioned POST is used in 'binary/mainv.js' as input for an 'eval()' function, hence allowing an attacker to inject any code without restrictions which will be executed in the context of the 'eval()'
function:
/-----
282 http_request.open('POST', path, false);
283 http_request.send(msgs);
284 var trans = new Array();
285 try {
286 eval(http_request.responseText);
287 } catch (e) {}
- -----/
CVE Information:
CVE-2010-0440
Disclosure Timeline:
2010-01-12: Vendor contacted.
2010-01-13: Cisco describes the fix and the non-vulnerable versions of the package.
2010-02-01: The advisory CORE-2010-0106 is published.
|
|
|
|
|
