[cisco-voip] Cisco 7900 series phone Nessus scan
Jason Aarons (AM)
jason.aarons at dimensiondata.com
Wed May 21 21:09:53 EDT 2014
Were you able to successfully inject the Referer per the nessus.org database article using nmap? The list of affected devices didn’t list any Cisco products, but test anyway.
http://antoniovazquezblanco.github.io/docs/advisories/Advisory_RomPagerXSS.pdf
I always worry about generic nessus scans. You really have to know what your doing, and my experience is that the person doing a Nessus scan really isn’t a security guru and won’t fact check what Nessus reports.
From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of me at go0se.com
Sent: Wednesday, May 21, 2014 5:06 PM
To: cisco-voip at puck.nether.net
Subject: [cisco-voip] Cisco 7900 series phone Nessus scan
When performing a Nessus scan on a 7970 Cisco phone running
SCCP70.9-3-1SR4-1S code (the latest I can find), it reports the
following "medium" vulnerability:
RomPager HTTP Referer Header XSS
Description
The remote RomPager HTTP server is affected by a cross-site scripting
vulnerability. The server does not properly sanitize the referer
header value when generating a 404 error page.
Solution
Upgrade to RomPager 4.51 or later.
See Also
http://www.nessus.org/u?54798697
I also receive this same vulnerability when scanning a 7961 and a 9951
phone. I've done some googling and don't find anything relevant to
locking this down on a Cisco phone. Any suggestions?
Thanks,
Go0se
--------------------------------------
Help Hopegivers International
feed the orphans of Haiti and India
http://www.hopegivers.org
--------------------------------------
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
itevomcid
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20140521/054cd1f5/attachment.html>
More information about the cisco-voip
mailing list