+ Reply to Thread
Results 1 to 1 of 1
Like Tree6Likes
  • 6 Post By karniv0re

Thread: Multiple Vulnerabilities with the Cisco Developer Network Share/Save - My123World.Com!

  1. 06-20-2012, 05:23 PM #1
    karniv0re
    karniv0re is offline
    Garage Newcomer karniv0re is on a distinguished road
    Join Date
    Jun 2011
    Posts
    16
    Thanks
    1
    Thanked 9 Times in 3 Posts

    Cool Multiple Vulnerabilities with the Cisco Developer Network



    I found a bunch of vulnerabilities with Cisco subdomains a couple of weeks ago, some of them were plain old XSS vulnerabilities,while others were more interesting. Cisco is yet to fix some of them which I will not be talking about here, however I will discuss the other issues that I found and which have now been fixed.

    I found an XSS on the developer.cisco.com domain, and since Cisco uses Single Sign On for most of its subdomains, an attacker could simply exploit this issue and gain access to the user accounts under other Cisco domains. The Cisco Developer Network runs on a well known product, which is actively maintained by the developers and used worldwide by several major corporations.

    The other issue I found was particularly interesting because the application failed to check necessary user privilege levels while a user attempted access to application modules that were obviously sensitive. To this effect, I was able to locate the administration modules of several key sections under developer.cisco.com that would have allowed me to upload files, change and delete the content that users would see. I had access to all available administrative tasks since the application was clearly not checking whether I had admin or guest privileges. To make things worse, Google had traversed and cached these pages which would allow an attacker to reach to all the administration modules following an advanced Google search.


    Now that both the issues have been fixed, here's a finer look at the vulnerabilities:

    1. XSS in the Cisco Developer Network (developer.cisco.com)
    The following pages accept client side input via the '_153_keywords' parameter and render it back to the browser without sanitization.
    This was a POST based XSS, hence to craft an attack vector, an attacker would need to create a page that autosubmits a form on page/body.

    Name: XSS_myworkflow_tasks_completed.jpg Views: 342 Size: 21.3 KB

    Name: XSS_myworkflow_tasks_pending.jpg Views: 250 Size: 21.5 KB

    2. Insufficient privilege/permission check on the Cisco Developer Network.
    The application did not verify the permission levels of logged in users when providing access to the administration modules of several sections listed on http://developer.cisco.com/web/cdc/tech under "Available Technology Centers"

    Some examples were:
    More details, on my blog: http://www.riyazwalikar.com/2012/06/...ith-cisco.html
    b0nd, AnArKI, neo and 3 others like this.
    Reply With Quote Reply With Quote

  2. The Following User Says Thank You to karniv0re For This Useful Post:

    Punter (06-21-2012)
« Previous Thread | Next Thread »

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Forum Rules