[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-disclosure] taking their revenge @ cisco
- To: "Frank Knobbe" <frank@xxxxxxxxx>, "Michael Holstein" <michael.holstein@xxxxxxxxxxx>
- Subject: RE: [Full-disclosure] taking their revenge @ cisco
- From: "Todd Towles" <toddtowles@xxxxxxxxxxxxxxx>
- Date: Thu, 4 Aug 2005 13:24:37 -0500
It have nothing to do with a IOS at all. All the other SQL injection
that happen in the world have nothing to do with Cisco IOS flaws. This
is a pure case of the search function being open to SQL injection.
Therefore it is a design/code problem in one of the three web-app tiers
of the website.
It most likely have been vunlerable for a while, but now that Cisco
isn't playing nice..people are looking closer at their site.
> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf
> Of Frank Knobbe
> Sent: Thursday, August 04, 2005 1:06 PM
> To: Michael Holstein
> Cc: full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: Re: [Full-disclosure] taking their revenge @ cisco
>
> On Wed, 2005-08-03 at 11:19 -0400, Michael Holstein wrote:
> > * This incident does not appear to be due to a
> weakness in Cisco
> > products or technologies.
> >
> > (gotta love that last bullet)
>
> And that's probably correct. I doubt they got the password
> due to a router flaw. Doesn't Cisco use Oracle as their
> backend DB for their websites? That would certainly explain
> the weak DB security....
>
> Ooooh.... Cisco suing Oracle. Now that'd be fun to watch.
>
> Cheers,
> Frank
>
>
> --
> Ciscogate: Shame on Cisco. Double-Shame on ISS.
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/