|
|
| |
Cisco Unified Communications Manager is vulnerable to a SQL Injection attack in the parameter key of the admin and user interface pages. A successful attack could allow an authenticated attacker to access information such as usernames and password hashes that are stored in the database.
Cisco has released free software updates that address this vulnerability. |
| |
Credit:
The information has been provided by Cisco Systems Product Security Incident Response Team.
The original article can be found at: http://www.cisco.com/warp/public/707/cisco-sa-20080213-cucmsql.shtml
|
| |
Vulnerable Systems:
* Cisco Unified Communication Manager 5.0/5.1 versions prior to 5.1(3a) and 6.0/6.1 versions prior to 6.1(1a)
Immune Systems:
* Cisco CallManager or Unified Communication Manager systems prior to 5.0 are not affected by this vulnerability. No 3.x and 4.x releases are vulnerable.
Cisco Unified CallManager/Communications Manager (CUCM) is the call processing component of the Cisco IP telephony solution. This solution extends enterprise telephony features and functions to packet telephony network devices such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications.
An attacker can trigger this SQL injection vulnerability by entering a specially crafted value is entered in the key parameter of either the admin or user interface page. Attacks against this vulnerability are conducted through the web interface and use the http or https protocol. A successful attack could terminate a SQL call and force a connection to the back-end database resulting in the disclosure of potentially sensitive information such as usernames and password hashes.
Impact
An authenticated attacker may be able to exploit this vulnerability to extract records from the Cisco Unified Communications Manager database. A successful attack might retrieve sensitive data such as user names, passwords hashes, and information from call records. An attacker cannot use this vulnerability to alter or delete call record information from the database.
CVE Information:
CVE-2008-0026
|
| Subject:
|
Security by Obscurity |
Date: |
21 Feb. 2008 |
| From: |
mr_daimonhotmail.com |
you can find dozens of call manager login pages but only one communications manager
Google search; intitle:cisco inurl:/ccmuser/ |
|
| Subject:
|
OOPs |
Date: |
24 Feb. 2008 |
| From: |
mr_daimonhotmail.com |
Find more with:
intitle:"e;cisco unified"e; inurl:ccmuser |
|
|
|
|
