Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: taking their revenge @ cisco

From: "Todd Towles" <toddtowles () brookshires com>
Date: Thu, 4 Aug 2005 13:24:37 -0500
It have nothing to do with a IOS at all. All the other SQL injection
that happen in the world have nothing to do with Cisco IOS flaws. This
is a pure case of the search function being open to SQL injection.
Therefore it is a design/code problem in one of the three web-app tiers
of the website. 

It most likely have been vunlerable for a while, but now that Cisco
isn't playing nice..people are looking closer at their site.


-----Original Message-----
From: full-disclosure-bounces () lists grok org uk 
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf 
Of Frank Knobbe
Sent: Thursday, August 04, 2005 1:06 PM
To: Michael Holstein
Cc: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] taking their revenge @ cisco

On Wed, 2005-08-03 at 11:19 -0400, Michael Holstein wrote:

     * This incident does not appear to be due to a 

weakness in Cisco 

products or technologies.

(gotta love that last bullet)


And that's probably correct. I doubt they got the password 
due to a router flaw. Doesn't Cisco use Oracle as their 
backend DB for their websites? That would certainly explain 
the weak DB security....

Ooooh.... Cisco suing Oracle. Now that'd be fun to watch.

Cheers,
Frank


--
Ciscogate: Shame on Cisco. Double-Shame on ISS.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: