Guest

Preview Tool

Cisco Bug: CSCvi91980 - GET to bfsClient.do with injected data in request URL param results in resp with injected data

Last Modified

Apr 11, 2018

Products (1)

  • Headend System Releases

Known Affected Releases

ec-9.0.4-1

Description (partial)

Symptom:
A GET request to /dncs/bfs/bfsClient.do with injected data in the siteName request URL parameter results in a response with the injected data.
EC returns 200 with the following in the Set-Cookie response header:
Set-Cookie: BACKUP_BAR="EC|/dncs/console/home.do|Site \"'><IMG SRC=\"/WF_XSRF84105.html\">
And the following in the body:
<a href="../bfs/bfsClient.do?actionRequested=select&siteID=1&siteName="'><IMG SRC="/WF_XSRF84105.html">" id="Site "'><IMG SRC="/WF_XSRF84105.html"> Broadcast File Server List URL">

Conditions:
Default state
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.