Uočene su dvije sigurnosne ranjivosti u radu programskog paketa CiscoWorks Common Services koje zlonamjernom korisniku omogućuju izvođenje XSS napada te otkrivanje osjetljivih informacija.
Paket:
CiscoWorks Common Services Software 3.x
Operacijski sustavi:
Microsoft Windows Server 2003, Microsoft Windows Server 2008, Sun Solaris 9, Sun Solaris 10, VMware ESX Server 3.x, VMware ESX Server 4.x, VMware ESXi 3.x, VMware ESXi 4.x
Kritičnost:
6.5
Problem:
neodgovarajuća provjera ulaznih podataka, pogreška u programskoj komponenti
Iskorištavanje:
udaljeno
Posljedica:
otkrivanje osjetljivih informacija, umetanje HTML i skriptnog koda
Rješenje:
programska zakrpa proizvođača
CVE:
CVE-2011-0961, CVE-2011-0966
Izvorni ID preporuke:
VUPEN/ADV-2011-1269
Izvor:
VUPEN
Problem:
Propusti su uzrokovani neodgovarajućom provjerom ulaznih podataka u komponentama CiscoWorks Homepage Auditing i Framework Help Servlet.
Posljedica:
Napadaču nedostaci omogućuju izvođenje XSS napada i otkrivanje potencijalno osjetljivih podataka.
Rješenje:
Korisnicima se preporuča instalacija novih programskih rješenja.
CiscoWorks Common Services Directory Traversal and Cross Site Scripting
VUPEN ID VUPEN/ADV-2011-1269
CVE ID CVE-2011-0961 - CVE-2011-0966
CWE ID Available in Customer Area
CVSS V2 Available in Customer Area
Rated as Moderate Risk
Impact Available in Customer Area
Authentication Level Available in Customer Area
Access Vector Available in Customer Area
Release Date 2011-05-19
Share Twitter LinkedIn Facebook Delicious Digg Slashdot
Technical Description
Two vulnerabilities have been identified in Cisco CiscoWorks Common Services, which could be exploited by attackers to gain knowledge of sensitive information.
The first issue is caused by an input validation error in the CiscoWorks Homepage Auditing component, which could allow directory traversal attacks.
The second vulnerability is caused by an input validation error in the Framework Help Servlet, which could allow cross site scripting attacks.
Affected Products
CiscoWorks Common Services version 3.3 and prior
Solution
Apply patches :
http://tools.cisco.com/security/center/viewAlert.x?alertId=23088
http://tools.cisco.com/security/center/viewAlert.x?alertId=23089
References
http://www.vupen.com/english/advisories/2011/1269
http://tools.cisco.com/security/center/viewAlert.x?alertId=23088
http://tools.cisco.com/security/center/viewAlert.x?alertId=23089
http://seclists.org/fulldisclosure/2011/May/369
http://seclists.org/fulldisclosure/2011/May/382
Credits
Vulnerabilities reported by Sense of Security Labs.
Changelog
2011-05-19 : Initial release
Posljednje sigurnosne preporuke