Bugtraq mailing list archives
Re: Advisory def-2000-02: Cisco Catalyst remote command execution
From: Andrew Frith <AndrewF () GATEWAY BM>
Date: Thu, 26 Oct 2000 17:35:10 -0300
I was unable to reproduce this on a 2924-XL running version 11.2(8.2)SA6. Entering that URL in a web browser prompts for a password. It will only execute once the enable password has been entered.
Olle Segerdahl <Olle.Segerdahl () DEFCOM-SEC COM> 10/26/00 05:51AM >>>
----------------------=[Detailed Description]=------------------------ Cisco Catalyst 3500 XL series switches have a webserver configuration interface. This interface lets any anonymous web user execute any command without supplying any authentication credentials by simply requesting the /exec location from the webserver. An example follows: http://catalyst/exec/show/config/cr This URL will show the configuration file, with all user passwords.
Current thread:
- Advisory def-2000-02: Cisco Catalyst remote command execution Olle Segerdahl (Oct 27)
- <Possible follow-ups>
- Re: Advisory def-2000-02: Cisco Catalyst remote command execution Andrew Frith (Oct 27)