Re: [cisco-voip] Bug Search Code Injection
I would keep pushing this. There is an internal review process for bug release notes but clearly they failed here. That should not be the only thing keeping Cisco employees from potentially putting malicious code in bug notes. The reviewers probably wouldn't even be able to tell what is malicious and what isn't. On Wed, Aug 28, 2019 at 10:42 AM Anthony Holloway < avholloway+cisco-v...@gmail.com> wrote: > Here is the response I got back after Cisco looked into my report: > > *"And as CDETS is not accessible to external users no malicious code can > be entered and internal users will not enter any malicious code."* > > > On Thu, Aug 22, 2019 at 10:02 AM Anthony Holloway < > avholloway+cisco-v...@gmail.com> wrote: > >> FWIW I submitted feedback via the website and have already been contacted >> by someone on the Bug Search Tool team stating they're looking in to it. >> >> [image: image.png] >> >> On Tue, Aug 20, 2019 at 9:35 AM Anthony Holloway < >> avholloway+cisco-v...@gmail.com> wrote: >> >>> Looks like I stumbled across some code injection on the following defect >>> page: >>> >>> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq27976 >>> >>> It's innocent enough, but concerning that it's even possible. >>> >>> [image: image.png] >>> >> ___ > cisco-voip mailing list > cisco-voip@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-voip > ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] Bug Search Code Injection
Here is the response I got back after Cisco looked into my report: *"And as CDETS is not accessible to external users no malicious code can be entered and internal users will not enter any malicious code."* On Thu, Aug 22, 2019 at 10:02 AM Anthony Holloway < avholloway+cisco-v...@gmail.com> wrote: > FWIW I submitted feedback via the website and have already been contacted > by someone on the Bug Search Tool team stating they're looking in to it. > > [image: image.png] > > On Tue, Aug 20, 2019 at 9:35 AM Anthony Holloway < > avholloway+cisco-v...@gmail.com> wrote: > >> Looks like I stumbled across some code injection on the following defect >> page: >> >> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq27976 >> >> It's innocent enough, but concerning that it's even possible. >> >> [image: image.png] >> > ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] Bug Search Code Injection
FWIW I submitted feedback via the website and have already been contacted by someone on the Bug Search Tool team stating they're looking in to it. [image: image.png] On Tue, Aug 20, 2019 at 9:35 AM Anthony Holloway < avholloway+cisco-v...@gmail.com> wrote: > Looks like I stumbled across some code injection on the following defect > page: > > https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq27976 > > It's innocent enough, but concerning that it's even possible. > > [image: image.png] > ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] Bug Search Code Injection
Correct, you got it. On Tue, Aug 20, 2019 at 2:15 PM Lelio Fulgenzi wrote: > Ah. Gotcha. > > > > For some reason, I thought it was an example of a vulnerability on Cisco’s > site that you could inject code into. > > > > But it’s an example of a “malicious site” with code that would execute on > your machine. > > > > Plus, like you said, you don’t know the details of the bug! > > > > --- > > *Lelio Fulgenzi, B.A.* | Senior Analyst > > Computing and Communications Services | University of Guelph > > Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | > N1G 2W1 > > 519-824-4120 Ext. 56354 | le...@uoguelph.ca > > > > www.uoguelph.ca/ccs | @UofGCCS on Instagram, Twitter and Facebook > > > > [image: University of Guelph Cornerstone with Improve Life tagline] > > > > *From:* Anthony Holloway > *Sent:* Tuesday, August 20, 2019 1:54 PM > *To:* Lelio Fulgenzi > *Cc:* Norton, Mike ; Cisco VoIP Group < > cisco-voip@puck.nether.net> > *Subject:* Re: [cisco-voip] Bug Search Code Injection > > > > Basically someone typed in some HTML code into the bug description, and > when my browser received/rendered the page content, my browser saw this > code as code it needed to execute, hence the text box was > rendered as opposed to the text "" just being shown on the page > (like how it is in the title. > > > > Now, while this page is not doing anything harmful at the moment, it's not > impossible for the code to have been: > > > > <a rel="nofollow" href="https://myharmfulwebsite.com/code-you-dont-want.js">https://myharmfulwebsite.com/code-you-dont-want.js</a> > > > > Then my browser would have downloaded and executed that. > > > > I'm no hacker, but I know this can't be good. > > > > Also, if nothing else, it ruins the value of the bug itself, because > people like you don't know what the hell it's trying to tell you. Know > what I mean man? > > > > On Tue, Aug 20, 2019 at 12:42 PM Lelio Fulgenzi wrote: > > Ok – for those of us less knowledgeable, how exactly is this “code > injection” ? > > > > > > > > --- > > *Lelio Fulgenzi, B.A.* | Senior Analyst > > Computing and Communications Services | University of Guelph > > Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | > N1G 2W1 > > 519-824-4120 Ext. 56354 | le...@uoguelph.ca > > > > www.uoguelph.ca/ccs | @UofGCCS on Instagram, Twitter and Facebook > > > > [image: University of Guelph Cornerstone with Improve Life tagline] > > > > *From:* cisco-voip *On Behalf Of *Anthony > Holloway > *Sent:* Tuesday, August 20, 2019 1:38 PM > *To:* Norton, Mike > *Cc:* Cisco VoIP Group > *Subject:* Re: [cisco-voip] Bug Search Code Injection > > > > Exactly. Like there might be a feature disabled for preventing code > injection on the site as a whole, and not all code injection displays > something like that. In fact, I'd wager an attack via code injection would > go unnoticed by the user all together. > > > > On Tue, Aug 20, 2019 at 12:08 PM Norton, Mike > wrote: > > Used to be that reading documentation articles about “null” – e.g. null > routes, Null 0 interface, etc. – would give some rather, uh, “interesting” > results in the related community discussions box off to the side of the > article. Agreed it is rather concerning. Basically every language has > standard functions for properly sanitizing/escaping text so there is no > excuse other than sloppiness... which makes one wonder what else they are > sloppy with. > > -mn > > *From:* cisco-voip *On Behalf Of *Anthony > Holloway > *Sent:* August 20, 2019 8:35 AM > *To:* Cisco VoIP Group > *Subject:* [cisco-voip] Bug Search Code Injection > > > > Looks like I stumbled across some code injection on the following defect > page: > > > > https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq27976 > > > > It's innocent enough, but concerning that it's even possible. > > > > [image: image.png] > > ___ > cisco-voip mailing list > cisco-voip@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-voip > > ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] Bug Search Code Injection
Ah. Gotcha. For some reason, I thought it was an example of a vulnerability on Cisco’s site that you could inject code into. But it’s an example of a “malicious site” with code that would execute on your machine. Plus, like you said, you don’t know the details of the bug! --- Lelio Fulgenzi, B.A. | Senior Analyst Computing and Communications Services | University of Guelph Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1 519-824-4120 Ext. 56354 | le...@uoguelph.ca<mailto:le...@uoguelph.ca> www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> | @UofGCCS on Instagram, Twitter and Facebook [University of Guelph Cornerstone with Improve Life tagline] From: Anthony Holloway Sent: Tuesday, August 20, 2019 1:54 PM To: Lelio Fulgenzi Cc: Norton, Mike ; Cisco VoIP Group Subject: Re: [cisco-voip] Bug Search Code Injection Basically someone typed in some HTML code into the bug description, and when my browser received/rendered the page content, my browser saw this code as code it needed to execute, hence the text box was rendered as opposed to the text "" just being shown on the page (like how it is in the title. Now, while this page is not doing anything harmful at the moment, it's not impossible for the code to have been: <a rel="nofollow" href="https://myharmfulwebsite.com/code-you-dont-want.js">https://myharmfulwebsite.com/code-you-dont-want.js</a> Then my browser would have downloaded and executed that. I'm no hacker, but I know this can't be good. Also, if nothing else, it ruins the value of the bug itself, because people like you don't know what the hell it's trying to tell you. Know what I mean man? On Tue, Aug 20, 2019 at 12:42 PM Lelio Fulgenzi mailto:le...@uoguelph.ca>> wrote: Ok – for those of us less knowledgeable, how exactly is this “code injection” ? --- Lelio Fulgenzi, B.A. | Senior Analyst Computing and Communications Services | University of Guelph Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1 519-824-4120 Ext. 56354 | le...@uoguelph.ca<mailto:le...@uoguelph.ca> www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> | @UofGCCS on Instagram, Twitter and Facebook [University of Guelph Cornerstone with Improve Life tagline] From: cisco-voip mailto:cisco-voip-boun...@puck.nether.net>> On Behalf Of Anthony Holloway Sent: Tuesday, August 20, 2019 1:38 PM To: Norton, Mike mailto:mikenor...@pwsd76.ab.ca>> Cc: Cisco VoIP Group mailto:cisco-voip@puck.nether.net>> Subject: Re: [cisco-voip] Bug Search Code Injection Exactly. Like there might be a feature disabled for preventing code injection on the site as a whole, and not all code injection displays something like that. In fact, I'd wager an attack via code injection would go unnoticed by the user all together. On Tue, Aug 20, 2019 at 12:08 PM Norton, Mike mailto:mikenor...@pwsd76.ab.ca>> wrote: Used to be that reading documentation articles about “null” – e.g. null routes, Null 0 interface, etc. – would give some rather, uh, “interesting” results in the related community discussions box off to the side of the article. Agreed it is rather concerning. Basically every language has standard functions for properly sanitizing/escaping text so there is no excuse other than sloppiness... which makes one wonder what else they are sloppy with. -mn From: cisco-voip mailto:cisco-voip-boun...@puck.nether.net>> On Behalf Of Anthony Holloway Sent: August 20, 2019 8:35 AM To: Cisco VoIP Group mailto:cisco-voip@puck.nether.net>> Subject: [cisco-voip] Bug Search Code Injection Looks like I stumbled across some code injection on the following defect page: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq27976 It's innocent enough, but concerning that it's even possible. [image.png] ___ cisco-voip mailing list cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] Bug Search Code Injection
Basically someone typed in some HTML code into the bug description, and when my browser received/rendered the page content, my browser saw this code as code it needed to execute, hence the text box was rendered as opposed to the text "" just being shown on the page (like how it is in the title. Now, while this page is not doing anything harmful at the moment, it's not impossible for the code to have been: <a rel="nofollow" href="https://myharmfulwebsite.com/code-you-dont-want.js">https://myharmfulwebsite.com/code-you-dont-want.js</a> Then my browser would have downloaded and executed that. I'm no hacker, but I know this can't be good. Also, if nothing else, it ruins the value of the bug itself, because people like you don't know what the hell it's trying to tell you. Know what I mean man? On Tue, Aug 20, 2019 at 12:42 PM Lelio Fulgenzi wrote: > Ok – for those of us less knowledgeable, how exactly is this “code > injection” ? > > > > > > > > --- > > *Lelio Fulgenzi, B.A.* | Senior Analyst > > Computing and Communications Services | University of Guelph > > Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | > N1G 2W1 > > 519-824-4120 Ext. 56354 | le...@uoguelph.ca > > > > www.uoguelph.ca/ccs | @UofGCCS on Instagram, Twitter and Facebook > > > > [image: University of Guelph Cornerstone with Improve Life tagline] > > > > *From:* cisco-voip *On Behalf Of *Anthony > Holloway > *Sent:* Tuesday, August 20, 2019 1:38 PM > *To:* Norton, Mike > *Cc:* Cisco VoIP Group > *Subject:* Re: [cisco-voip] Bug Search Code Injection > > > > Exactly. Like there might be a feature disabled for preventing code > injection on the site as a whole, and not all code injection displays > something like that. In fact, I'd wager an attack via code injection would > go unnoticed by the user all together. > > > > On Tue, Aug 20, 2019 at 12:08 PM Norton, Mike > wrote: > > Used to be that reading documentation articles about “null” – e.g. null > routes, Null 0 interface, etc. – would give some rather, uh, “interesting” > results in the related community discussions box off to the side of the > article. Agreed it is rather concerning. Basically every language has > standard functions for properly sanitizing/escaping text so there is no > excuse other than sloppiness... which makes one wonder what else they are > sloppy with. > > -mn > > *From:* cisco-voip *On Behalf Of *Anthony > Holloway > *Sent:* August 20, 2019 8:35 AM > *To:* Cisco VoIP Group > *Subject:* [cisco-voip] Bug Search Code Injection > > > > Looks like I stumbled across some code injection on the following defect > page: > > > > https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq27976 > > > > It's innocent enough, but concerning that it's even possible. > > > > [image: image.png] > > ___ > cisco-voip mailing list > cisco-voip@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-voip > > ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] Bug Search Code Injection
Ok – for those of us less knowledgeable, how exactly is this “code injection” ? --- Lelio Fulgenzi, B.A. | Senior Analyst Computing and Communications Services | University of Guelph Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1 519-824-4120 Ext. 56354 | le...@uoguelph.ca<mailto:le...@uoguelph.ca> www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> | @UofGCCS on Instagram, Twitter and Facebook [University of Guelph Cornerstone with Improve Life tagline] From: cisco-voip On Behalf Of Anthony Holloway Sent: Tuesday, August 20, 2019 1:38 PM To: Norton, Mike Cc: Cisco VoIP Group Subject: Re: [cisco-voip] Bug Search Code Injection Exactly. Like there might be a feature disabled for preventing code injection on the site as a whole, and not all code injection displays something like that. In fact, I'd wager an attack via code injection would go unnoticed by the user all together. On Tue, Aug 20, 2019 at 12:08 PM Norton, Mike mailto:mikenor...@pwsd76.ab.ca>> wrote: Used to be that reading documentation articles about “null” – e.g. null routes, Null 0 interface, etc. – would give some rather, uh, “interesting” results in the related community discussions box off to the side of the article. Agreed it is rather concerning. Basically every language has standard functions for properly sanitizing/escaping text so there is no excuse other than sloppiness... which makes one wonder what else they are sloppy with. -mn From: cisco-voip mailto:cisco-voip-boun...@puck.nether.net>> On Behalf Of Anthony Holloway Sent: August 20, 2019 8:35 AM To: Cisco VoIP Group mailto:cisco-voip@puck.nether.net>> Subject: [cisco-voip] Bug Search Code Injection Looks like I stumbled across some code injection on the following defect page: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq27976 It's innocent enough, but concerning that it's even possible. [image.png] ___ cisco-voip mailing list cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] Bug Search Code Injection
Exactly. Like there might be a feature disabled for preventing code injection on the site as a whole, and not all code injection displays something like that. In fact, I'd wager an attack via code injection would go unnoticed by the user all together. On Tue, Aug 20, 2019 at 12:08 PM Norton, Mike wrote: > Used to be that reading documentation articles about “null” – e.g. null > routes, Null 0 interface, etc. – would give some rather, uh, “interesting” > results in the related community discussions box off to the side of the > article. Agreed it is rather concerning. Basically every language has > standard functions for properly sanitizing/escaping text so there is no > excuse other than sloppiness... which makes one wonder what else they are > sloppy with. > > -mn > > *From:* cisco-voip *On Behalf Of *Anthony > Holloway > *Sent:* August 20, 2019 8:35 AM > *To:* Cisco VoIP Group > *Subject:* [cisco-voip] Bug Search Code Injection > > > > Looks like I stumbled across some code injection on the following defect > page: > > > > https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq27976 > > > > It's innocent enough, but concerning that it's even possible. > > > > [image: image.png] > ___ > cisco-voip mailing list > cisco-voip@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-voip > ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] Bug Search Code Injection
Used to be that reading documentation articles about “null” – e.g. null routes, Null 0 interface, etc. – would give some rather, uh, “interesting” results in the related community discussions box off to the side of the article. Agreed it is rather concerning. Basically every language has standard functions for properly sanitizing/escaping text so there is no excuse other than sloppiness... which makes one wonder what else they are sloppy with. -mn From: cisco-voip On Behalf Of Anthony Holloway Sent: August 20, 2019 8:35 AM To: Cisco VoIP Group Subject: [cisco-voip] Bug Search Code Injection Looks like I stumbled across some code injection on the following defect page: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq27976 It's innocent enough, but concerning that it's even possible. [image.png] ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
[cisco-voip] Bug Search Code Injection
Looks like I stumbled across some code injection on the following defect page: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq27976 It's innocent enough, but concerning that it's even possible. [image: image.png] ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip