[cisco-voip] adding a disclaimer/MOTD in CUCM?

Anthony Holloway avholloway+cisco-voip at gmail.com
Wed Nov 27 15:08:14 EST 2013


FWIW, you can use this MOTD feature to inject HTML, CSS, VBScript and
Javascript into the login/about pages of CUCM.

With that knowledge, you could do things such as:

   1. Embed a partner logo on client systems with pertinent support contact
   information
   2. Embed a random tip of the day for your administrators (use JS to ID
   the location as ccmadmin)
   3. Embed a random tip of the day for your users (use JS to ID the
   location as ccmuser)
   4. Embed links to training material/intranet sites for your users
   (ccmuser)
   5. Embed a link to open a phone ticket for your users (ccmuser)
   6. Pre-fill the login form and auto submit for auto-login (maybe a lab
   usage thing only)
   7. Place a red text warning about some critical service down on April
   Fools day for your manager/co-workers to sweat over
   8. Change the onSubmit event listener to HTTP GET/POST the j_username
   and j_password field values to a third party server, effectively stealing
   peoples passwords as they login to CUCM

That last one is not advised.  I only mentioned it to illustrate the evil
side of being allowed to inject code into code.  Perhaps Cisco should fix
this by escaping the MOTD HTML tags?  And while we're on the topic of
stealing people's passwords from CUCM, we're securing our LDAP integrations
right?

admin:utils network capture numeric count 100000 size ALL file ldap

admin:file get activelog platform/cli/ldap.cap

wireshark filter: ldap.bindRequest


Ok ok, so some of you are like: "why would I want to do any of that?"  And
you're right, these are not the best ideas I've ever had; however, knowing
that the possibilities even exist has its benefit.

I've actually done each one of these as an exercise, so if you want to know
more or need help getting a working solution put together, let me know.

Also, it should be obvious too then, that the CLI representation of the
MOTD cannot do these things, but it will still spit out the ugly HTML/code
you are trying to inject.  I have gotten around that a little bit by doing
two things:

   1. Make the injection as small as possible, leveraging off box resources
   (JS, images, etc.)
   2. Put a bunch of newlines at the end of the file, which causes the
   terminal window to scroll the MOTD out of the view port and possibly out of
   the buffer.

I hope you found that useful.




On Tue, Nov 26, 2013 at 1:17 PM, Erick Wellnitz <ewellnitzvoip at gmail.com>wrote:

> Okay...I'm either behind the times or our partner has some explaining to
> do.
>
> At install, our partner added a 'disclaimer' to both the CLI and web admin
> pages of CUCM 9.x
>
> Last I knew, you had to 'hack' root access to do this.   Is that still the
> case or is there somewhere to set and change this?
>
> Thanks!
>
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20131127/f9ecdffb/attachment.html>


More information about the cisco-voip mailing list