Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Latest News
    • Blogs
    • Security Watch

    Cisco Online Help in a Slew of Products Could Open Systems to Attack

    By
    Lisa Vaas
    -
    March 16, 2007
    Share
    Facebook
    Twitter
    Linkedin

      Cisco’s online help system could allow cross-site scripting and a subsequent system takeover due to a vulnerability in several products, the company reported on March 15.

      The XSS (cross-site scripting) flaw would allow an attacker to execute arbitrary scripting code if he or she were successful in luring a user to click on a specially crafted URL.

      The flaw is found in the content search feature of Cisco’s online help system, which is embedded in many products. The help system enables users to search for specific keywords in the help contents and is implemented through an HTML form and scripting code.

      The vulnerability is that search code in the file PreSearch.html (or in the file PreSearch.class, depending of the product) fails to properly sanitize user input.

      When a search keyword is entered that includes scripting code enclosed by

      tags, the vulnerability is triggered. The help system sanitizes the initial text in some cases but fails to sanitize the text that follows the tagged text, meaning that the subsequent text can also trigger the vulnerability.

      All versions of these products are affected:

      “Cisco Secure Access Control Server (ACS) for Windows version 4.1 and Cisco Secure ACS Solution Engine version 4.1. Cisco Bug ID CSCsh91761 (registered customers only).Cisco VPN Client. Cisco Bug ID CSCsh52300 (registered customers only).Cisco Unified Personal Communicator. Cisco Bug ID CSCsh91884 (registered customers only).Cisco MeetingPlace and Cisco Unified MeetingPlace, end-user and Admin help systems.Cisco Bug ID CSCsi12435 (registered customers only).Cisco Unified MeetingPlace Express, end-user and Admin help systems. Cisco Bug ID CSCsh91901 (registered customers only).Cisco CallManager. Cisco Bug ID CSCsi10405 (registered customers only).Cisco IP Communicator. Cisco Bug ID CSCsh91953 (registered customers only).Cisco Unified Video Advantage (formerly Cisco VT Advantage). Cisco Bug ID CSCsh93070 (registered customers only).Cisco Unified Videoconferencing 3545 System, Cisco Unified Videoconferencing 3540 Series Videoconferencing System, Cisco Unified Videoconferencing 3515 MCU, Cisco Unified Videoconferencing 3527 PRI Gateway, Cisco Unified Videoconferencing 3526 PRI Videoconferencing Gateway, and Cisco Unified Videoconferencing Manager. Cisco Bug ID CSCsh93854 (registered customers only).Cisco WAN Manager (CWM). Cisco Bug ID CSCek71039 (registered customers only).Cisco Security Device Manager. Cisco Bug ID CSCsh95009 (registered customers only).Cisco Network Analysis Module (NAM) for Catalyst 6500 series switches and Cisco 7600 series routers, and for modular IOS routers. Cisco Bug ID CSCsi10818 (registered customers only).CiscoWorks and all products that integrate with CiscoWorks. Cisco Bug ID CSCsi10674 (registered customers only).“

      Affected CiscoWorks-related products include:

      “Management Center for IPS SensorsSecurity MonitorCiscoWorks LAN Management SolutionRouter Management EssentialsCommon ServicesDevice Fault ManagerCiscoViewInternetwork Performance Monitor (IPM)Campus ManagerCisco Wireless LAN Solution Engine (WLSE). Cisco Bug ID CSCsi10982 (registered customers only).Cisco 2006 Wireless LAN Controllers (WLC). Cisco Bug ID CSCsi13743 (registered customers only).Cisco Wireless Control System (WCS). Cisco Bug ID CSCsi13763 (registered customers only).“

      Cisco says that in some cases the vulnerability can be corrected if you remove or rename the files PreSearch.html and PreSearch.class. You can determine if those files exist by using the operating system’s file search feature. Cisco says this workaround doesn’t apply to appliances and other products where direct access to the file system is not available, and that by removing or renaming these files it will no longer be possible to search the product’s online help contents.

      The XSS vulnerability was reported to Cisco by Erwin Paternotte from Fox-IT and by Cassio Goldschmidt.

      For Cisco’s response and for more information on addressing flaws, click here.

      Lisa Vaas
      Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×