Security flaw threatens Cisco Web site
Published: 20 Dec 2002 10:17 GMT
Securiteam.com, an online security portal, have found a Cross-Site Scripting (XSS) vulnerability in the cisco.com Web site, according to an advisory.
"The vulnerability would allow attackers to cause users to view third-party malicious JavaScript or HTML code as if it were the legitimate content offered by Cisco," the advisory said.
XSS vulnerabilities are at their most serious when user logins are involved. They may in some circumstances make it possible for an attacker to "steal" a user's session information, potentially allowing them to login as the victim user.
It is not known if Cisco, which does have a client login function on their Web site, is vulnerable to this extent. "Session theft" attack types are not very easy to carry out, and must be directed at the user of the affected site, not the site itself.
The Cisco Web site login function allows users to "...place and manage orders for Cisco networking products and services via the Internet", the advisory said.
Logged-in customers can also download versions of Cisco's IOS software not normally available to the public.
XSS vulnerabilities have come into fashion lately, with many security researchers focusing their efforts in detection and elimination of the security problem.
The recently held hacking competition, OpenHack IV, dished out $500 (£320) to a single entrant, Jeremy Poteet, who found XSS vulnerabilities in the application being tested, which was engineered by Oracle.
Cisco was not immediately available for comment.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
Did you find this article useful?
74 out of 153 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
