微慑信息网

CVE-2008-0533-漏洞详情

CVE-2008-0533
CVSS 4.3
发布时间 :2008-03-14 16:44:00
修订时间 :2011-03-07 22:04:51
NMCOP    

[原文]Multiple cross-site scripting (XSS) vulnerabilities in securecgi-bin/CSuserCGI.exe in User-Changeable Password (UCP) before 4.2 in Cisco Secure Access Control Server (ACS) for Windows and ACS Solution Engine allow remote attackers to inject arbitrary web script or HTML via an argument located immediately after the Help argument, and possibly unspecified other vectors.


[CNNVD]Cisco User-Changeable Password(UCP)CSuserCGI.exe本地HELP参数多个跨站脚本漏洞(CNNVD-200803-227)

        UCP应用允许终端用户使用基于Web的工具更改Cisco Secure Access Control Server(ACS)的口令。


        /securecgi-bin/CSUserCGI.exe CGI存在多个缓冲区溢出和跨站脚本漏洞,远程攻击者可能利用一个本地HELP参数后的直接参数注入任意WEB脚本和HTML代码.也有可能是其他未知向量


        


CVSS (基础分值)

CVSS分值: 4.3 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]


CWE (弱点类目)

CWE-79 [在Web页面生成时对输入的转义处理不恰当(跨站脚本)]


CPE (受影响的平台与产品)

cpe:/a:cisco:acs_solution_engine Cisco ACS Solution Engine
cpe:/a:cisco:acs_for_windows Cisco ACS for Windows
cpe:/a:cisco:user_changeable_password:4.1


OVAL (用于检测的技术细节)

未找到相关OVAL定义


官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0533

(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0533

(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200803-227

(官方数据源) CNNVD


其它链接及资源

http://www.cisco.com/en/US/products/products_security_advisory09186a008095f0c4.shtml


(PATCH)  CISCO  20080312 Cisco Secure Access Control Server for Windows User-Changeable Password Vulnerabilities
http://secunia.com/advisories/29351


(VENDOR_ADVISORY)  SECUNIA  29351
http://xforce.iss.net/xforce/xfdb/41156


(UNKNOWN)  XF  cisco-acs-ucp-csusercgi-xss(41156)
http://www.vupen.com/english/advisories/2008/0868


(UNKNOWN)  VUPEN  ADV-2008-0868
http://www.securityfocus.com/bid/28222


(UNKNOWN)  BID  28222
http://www.securityfocus.com/archive/1/archive/1/489463/100/0/threaded


(UNKNOWN)  BUGTRAQ  20080312 Cisco ACS UCP Remote Pre-Authentication Buffer Overflows
http://www.recurity-labs.com/content/pub/RecurityLabs_Cisco_ACS_UCP_advisory.txt


(UNKNOWN)  MISC  http://www.recurity-labs.com/content/pub/RecurityLabs_Cisco_ACS_UCP_advisory.txt
http://securitytracker.com/id?1019607


(UNKNOWN)  SECTRACK  1019607
http://securityreason.com/securityalert/3743


(UNKNOWN)  SREASON  3743


漏洞信息

Cisco User-Changeable Password(UCP)CSuserCGI.exe本地HELP参数多个跨站脚本漏洞
中危 跨站脚本
2008-03-14 00:00:00 2008-09-05 00:00:00
远程  
        UCP应用允许终端用户使用基于Web的工具更改Cisco Secure Access Control Server(ACS)的口令。


        /securecgi-bin/CSUserCGI.exe CGI存在多个缓冲区溢出和跨站脚本漏洞,远程攻击者可能利用一个本地HELP参数后的直接参数注入任意WEB脚本和HTML代码.也有可能是其他未知向量


        


公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:


        http://www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtmlbin/Software/Tablebuild/doftp.pl?ftpfile=cisco/crypto/3DES/ciscosecure/special/acs/macgyver/UCP_4.2.0.124-K9.zip&app=Tablebuild&status=showC2A


漏洞信息 (F64534)

RecurityLabs_Cisco_ACS_UCP_advisory.txt (PacketStormID:F64534)

2008-03-13 00:00:00
FX  recurity-labs.com

exploit,overflow,vulnerability,xss

cisco,windows

CVE-2008-0532,CVE-2008-0533

[点击下载]

The Cisco Secure Access Control Server (ACS) for Windows User-Changeable Password (UCP) application suffers from buffer overflow and cross site scripting vulnerabilities. Details provided.


漏洞信息 (F64533)

Cisco Security Advisory 20080312-ucp (PacketStormID:F64533)

2008-03-13 00:00:00
FX,Cisco Systems  cisco.com

advisory,remote,overflow,arbitrary,vulnerability,xss

cisco,windows

CVE-2008-0532,CVE-2008-0533

[点击下载]

Cisco Security Advisory – Two sets of vulnerabilities were discovered in the Cisco Secure Access Control Server (ACS) for Windows User-Changeable Password (UCP) application. The first set of vulnerabilities address several buffer overflow conditions in the UCP application that could result in remote execution of arbitrary code on the host system where UCP is installed. The second set of vulnerabilities address cross-site scripting in the UCP application pages.


漏洞信息


42962
Cisco Secure Access Control Server (ACS) CSUserCGI.exe Help Facility XSS

Remote / Network Access

Input Manipulation
Loss of Integrity
Exploit Commercial


漏洞描述


时间线


2008-03-12

Unknow
Unknow Unknow


解决方案

Upgrade to version 4.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.


相关参考


漏洞作者

本文标题:CVE-2008-0533-漏洞详情
本文链接:
(转载请附上本文链接)
http://vulsee.com/archives/vulsee_2019/0713_3335.html
转载请附本站链接,未经允许不得转载,,谢谢:微慑信息网-VulSee.com » CVE-2008-0533-漏洞详情
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

微慑信息网 专注工匠精神

访问我们联系我们