|
|
Cisco Secure ACS存在跨站脚本执行攻击
发布时间:2002-06-17
更新时间:2002-06-17
严重程度:中
威胁程度:服务器信息泄露
错误类型:输入验证错误
利用方式:客户机模式
BUGTRAQ ID:5026
受影响系统Cisco Secure ACS for Windows NT 3.0 .1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP2
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6a
Cisco Secure ACS for Windows NT 3.0 详细描述
Cisco Secure ACS是访问控制和计帐服务系统。
Cisco Secure ACS的WEB服务程序组件存在漏洞允许攻击者执行跨站脚本攻击,当这个连接被访问时,攻击者提供的HTML或者脚本代码就会在用户浏览器执行,导致敏感信息泄露。
测试代码
http://example.com:dyn_port/setup.exe?action=<script>alert('foo+bar')</script>&page=list_users&user=P*
解决方案
尚无
相关信息
Dave Palumbo <dpalumbo@yahoo.com>.
参考:http://online.securityfocus.com/archive/1/277053
|
