[cisco-voip] Bug Search Code Injection

Lelio Fulgenzi lelio at uoguelph.ca
Tue Aug 20 13:42:30 EDT 2019


Ok – for those of us less knowledgeable, how exactly is this “code injection” ?



---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>

www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> | @UofGCCS on Instagram, Twitter and Facebook

[University of Guelph Cornerstone with Improve Life tagline]

From: cisco-voip <cisco-voip-bounces at puck.nether.net> On Behalf Of Anthony Holloway
Sent: Tuesday, August 20, 2019 1:38 PM
To: Norton, Mike <mikenorton at pwsd76.ab.ca>
Cc: Cisco VoIP Group <cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] Bug Search Code Injection

Exactly.  Like there might be a feature disabled for preventing code injection on the site as a whole, and not all code injection displays something like that.  In fact, I'd wager an attack via code injection would go unnoticed by the user all together.

On Tue, Aug 20, 2019 at 12:08 PM Norton, Mike <mikenorton at pwsd76.ab.ca<mailto:mikenorton at pwsd76.ab.ca>> wrote:
Used to be that reading documentation articles about “null” – e.g. null routes, Null 0 interface, etc. – would give some rather, uh, “interesting” results in the related community discussions box off to the side of the article. Agreed it is rather concerning. Basically every language has standard functions for properly sanitizing/escaping text so there is no excuse other than sloppiness... which makes one wonder what else they are sloppy with.

-mn
From: cisco-voip <cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net>> On Behalf Of Anthony Holloway
Sent: August 20, 2019 8:35 AM
To: Cisco VoIP Group <cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>>
Subject: [cisco-voip] Bug Search Code Injection

Looks like I stumbled across some code injection on the following defect page:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq27976

It's innocent enough, but concerning that it's even possible.

[image.png]
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20190820/ed682958/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1297 bytes
Desc: image001.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20190820/ed682958/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 72638 bytes
Desc: image002.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20190820/ed682958/attachment-0001.png>


More information about the cisco-voip mailing list