Security problems in some looking glasses!

[Zvezdelin Vladov <zvezdi_v () yahoo com>]

PROBLEM DESCRIPTION:
====================
Some looking glasses (they are many)
pass control chars through the user interface
to the router.

Result:
=======
User may receive remote access to you router
and issue commands under the user of your
looking glass.

All information that regular user (or the
looking glass user may obtain) are avaialble
including 

sh in 
sh ver
sh route-map
sh access-l
sh traffic-shape
sh log

whatever sensetive the looking glass user has
access to.


WHO IS AFFECTED
===============

Not all looking glasses are affected.

If you issue [some control chars] 
for example to the looking glass prompt box
and receive "invalid autocommand ...."
you are not affected, but if you receive
the prompt of the router, or the resulted command,
you are affected.


FIX
===
Exclude the commands, looking glass user should
not issue from the current priv level of the
cisco router. The latter has been commented on
this list.
There are maybe others, like changeing the source
of the looking glass.

Zvezdelin Vladov


__________________________________________________
Do You Yahoo!?
Listen to your Yahoo! Mail messages from any phone.
http://phone.yahoo.com