It have nothing to do with a IOS at all. All the other SQL injection that happen in the world have nothing to do with Cisco IOS flaws. This is a pure case of the search function being open to SQL injection. Therefore it is a design/code problem in one of the three web-app tiers of the website.
It most likely have been vunlerable for a while, but now that Cisco isn't playing nice..people are looking closer at their site. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf > Of Frank Knobbe > Sent: Thursday, August 04, 2005 1:06 PM > To: Michael Holstein > Cc: [email protected] > Subject: Re: [Full-disclosure] taking their revenge @ cisco > > On Wed, 2005-08-03 at 11:19 -0400, Michael Holstein wrote: > > * This incident does not appear to be due to a > weakness in Cisco > > products or technologies. > > > > (gotta love that last bullet) > > And that's probably correct. I doubt they got the password > due to a router flaw. Doesn't Cisco use Oracle as their > backend DB for their websites? That would certainly explain > the weak DB security.... > > Ooooh.... Cisco suing Oracle. Now that'd be fun to watch. > > Cheers, > Frank > > > -- > Ciscogate: Shame on Cisco. Double-Shame on ISS. > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
