<div dir="ltr">FWIW, you can use this MOTD feature to inject HTML, CSS, VBScript and Javascript into the login/about pages of CUCM.<div><br></div><div>With that knowledge, you could do things such as:</div><div><ol><li>Embed a partner logo on client systems with pertinent support contact information<br>
</li><li>Embed a random tip of the day for your administrators (use JS to ID the location as ccmadmin)</li><li>Embed a random tip of the day for your users (use JS to ID the location as ccmuser)</li><li>Embed links to training material/intranet sites for your users (ccmuser)</li>
<li>Embed a link to open a phone ticket for your users (ccmuser)</li><li>Pre-fill the login form and auto submit for auto-login (maybe a lab usage thing only)<br></li><li>Place a red text warning about some critical service down on April Fools day for your manager/co-workers to sweat over<br>
</li><li>Change the onSubmit event listener to HTTP GET/POST the j_username and j_password field values to a third party server, effectively stealing peoples passwords as they login to CUCM</li></ol></div><div>That last one is not advised. I only mentioned it to illustrate the evil side of being allowed to inject code into code. Perhaps Cisco should fix this by escaping the MOTD HTML tags? And while we're on the topic of stealing people's passwords from CUCM, we're securing our LDAP integrations right?</div>
<div><br></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><font face="courier new, monospace">admin:utils network capture numeric count 100000 size ALL file ldap</font></div></blockquote><blockquote style="margin:0 0 0 40px;border:none;padding:0px">
<div><font face="courier new, monospace">admin:file get activelog platform/cli/ldap.cap</font></div></blockquote><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><font face="courier new, monospace">wireshark filter: ldap.bindRequest</font></div>
</blockquote><div><br></div><div>Ok ok, so some of you are like: "why would I want to do any of that?" And you're right, these are not the best ideas I've ever had; however, knowing that the possibilities even exist has its benefit.</div>
<div><br></div><div>I've actually done each one of these as an exercise, so if you want to know more or need help getting a working solution put together, let me know.</div><div><br></div><div>Also, it should be obvious too then, that the CLI representation of the MOTD cannot do these things, but it will still spit out the ugly HTML/code you are trying to inject. I have gotten around that a little bit by doing two things:</div>
<div><ol><li>Make the injection as small as possible, leveraging off box resources (JS, images, etc.)<br></li><li>Put a bunch of newlines at the end of the file, which causes the terminal window to scroll the MOTD out of the view port and possibly out of the buffer.</li>
</ol></div><div>I hope you found that useful.</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Nov 26, 2013 at 1:17 PM, Erick Wellnitz <span dir="ltr"><<a href="mailto:ewellnitzvoip@gmail.com" target="_blank">ewellnitzvoip@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Okay...I'm either behind the times or our partner has some explaining to do.</div><div> </div><div>
At install, our partner added a 'disclaimer' to both the CLI and web admin pages of CUCM 9.x</div>
<div> </div><div>Last I knew, you had to 'hack' root access to do this. Is that still the case or is there somewhere to set and change this?</div><div> </div><div>Thanks!</div><div> </div><div> </div></div>
<br>_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
<br></blockquote></div><br></div>