XSS vulnerability in the online help system of several Cisco products

[cassio () mail com]

What: cross-site scripting (XSS) vulnerability in the online help system distributed with several Cisco products
Release Date: 03-15-2007
Application: 14 different applications verified by Cisco up to now. For a complete list of affected products see 
http://www.cisco.com/warp/public/707/cisco-sr-20070315-xss.shtml
Vendor status: Replicated and verified by Cisco Systems, patch available.


Overview: 

        There exists a cross site scripting in Cisco VPN client in the search engine of the HTML help file. The result 
is that when a specially crafted search is performed, arbitrary code running with current logged user privilege can be 
executed on the host in question.


Details: 

        Cisco online help provides an HTML based search feature. During my investigation it was discovered that a 
specially crafted query can lead to script execution despite of attempts to cleanse user input by eliminating special 
characters such as “<>;:” from the begging and end of the search string as observed on the HTML code.

        The result is script code execution in the local user context in the host. Preliminary tests concluded the 
system is vulnerable with most popular web browsers such as Microsoft Internet Explorer 7.0 and Mozilla Firefox 2.0 
fully patched.

        User intervention (e.g. clicking on a malicious link) is necessary to trigger the exploit.

Vendor Response:

        The above vulnerability was addressed by Cisco Systems and a patch is available. For details see 
http://www.cisco.com/warp/public/707/cisco-sr-20070315-xss.shtml 

Recommendation:

        Apply the patch supplied by Cisco Systems to your organization’s software maintenance test and deployment 
procedures.