CVE Vulnerabilities

CVE-2008-3821

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Published: Jan 16, 2009 | Modified: Oct 11, 2018
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
4.3 MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
RedHat/V2
RedHat/V3
Ubuntu

Multiple cross-site scripting (XSS) vulnerabilities in the HTTP server in Cisco IOS 11.0 through 12.4 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to the ping program or (2) unspecified other aspects of the URI.

Weakness

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Affected Software

Name Vendor Start Version End Version
Ios Cisco 12.3ym 12.3ym
Ios Cisco 12.1xg 12.1xg
Ios Cisco 12.0xc 12.0xc
Ios Cisco 12.3yq 12.3yq
Ios Cisco 12.3xr 12.3xr
Ios Cisco 12.0xk 12.0xk
Ios Cisco 12.4t 12.4t
Ios Cisco 12.0xr 12.0xr
Ios Cisco 12.1xm 12.1xm
Ios Cisco 12.1xi 12.1xi
Ios Cisco 12.2sga 12.2sga
Ios Cisco 12.3bc 12.3bc
Ios Cisco 12.0st 12.0st
Ios Cisco 12.2xr 12.2xr
Ios Cisco 12.1xc 12.1xc
Ios Cisco 12.3ya 12.3ya
Ios Cisco 12.1xp 12.1xp
Ios Cisco 12.2cz 12.2cz
Ios Cisco 12.1ya 12.1ya
Ios Cisco 12.2sxf 12.2sxf
Ios Cisco 12.1yd 12.1yd
Ios Cisco 12.2fy 12.2fy
Ios Cisco 12.0dc 12.0dc
Ios Cisco 12.0xq 12.0xq
Ios Cisco 12.1xs 12.1xs
Ios Cisco 12.2xe 12.2xe
Ios Cisco 12.0xe 12.0xe
Ios Cisco 12.3xs 12.3xs
Ios Cisco 12.2ja 12.2ja
Ios Cisco 12.2sx 12.2sx
Ios Cisco 12.3xg 12.3xg
Ios Cisco 12.4xj 12.4xj
Ios Cisco 12.2zp 12.2zp
Ios Cisco 12.3bw 12.3bw
Ios Cisco 12.1xy 12.1xy
Ios Cisco 12.3xd 12.3xd
Ios Cisco 12.2bz 12.2bz
Ios Cisco 12.0xd 12.0xd
Ios Cisco 12.3xw 12.3xw
Ios Cisco 12.4mr 12.4mr
Ios Cisco 12.2xj 12.2xj
Ios Cisco 12.2srb 12.2srb
Ios Cisco 12.2su 12.2su
Ios Cisco 12.1xz 12.1xz
Ios Cisco 12.2xh 12.2xh
Ios Cisco 12.2xg 12.2xg
Ios Cisco 12.2ew 12.2ew
Ios Cisco 12.0xj 12.0xj
Ios Cisco 12.2b 12.2b
Ios Cisco 12.2ixb 12.2ixb
Ios Cisco 12.2svc 12.2svc
Ios Cisco 12.2sea 12.2sea
Ios Cisco 12.4xt 12.4xt
Ios Cisco 12.1t 12.1t
Ios Cisco 12.1eo 12.1eo
Ios Cisco 12.3xi 12.3xi
Ios Cisco 12.1xr 12.1xr
Ios Cisco 12.2yn 12.2yn
Ios Cisco 12.2sxa 12.2sxa
Ios Cisco 12.1db 12.1db
Ios Cisco 12.2ey 12.2ey
Ios Cisco 12.2zx 12.2zx
Ios Cisco 12.2seg 12.2seg
Ios Cisco 12.3yj 12.3yj
Ios Cisco 12.2xb 12.2xb
Ios Cisco 12.2yf 12.2yf
Ios Cisco 12.2sg 12.2sg
Ios Cisco 12.2ixf 12.2ixf
Ios Cisco 12.1xe 12.1xe
Ios Cisco 12.3jec 12.3jec
Ios Cisco 12.2xl 12.2xl
Ios Cisco 12.2ym 12.2ym
Ios Cisco 12.2yw 12.2yw
Ios Cisco 12.3yu 12.3yu
Ios Cisco 12.2yd 12.2yd
Ios Cisco 12.3xj 12.3xj
Ios Cisco 12.0xl 12.0xl
Ios Cisco 12.0xs 12.0xs
Ios Cisco 12.3t 12.3t
Ios Cisco 12.2yb 12.2yb
Ios Cisco 12.3 12.3
Ios Cisco 12.2mb 12.2mb
Ios Cisco 12.2dd 12.2dd
Ios Cisco 12.1eu 12.1eu
Ios Cisco 12.1xb 12.1xb
Ios Cisco 12.2zh 12.2zh
Ios Cisco 12.2da 12.2da
Ios Cisco 12.1ga 12.1ga
Ios Cisco 12.1yf 12.1yf
Ios Cisco 12.2zu 12.2zu
Ios Cisco 12.2yv 12.2yv
Ios Cisco 12.1xl 12.1xl
Ios Cisco 12.2ixa 12.2ixa
Ios Cisco 12.1ax 12.1ax
Ios Cisco 12.2sxb 12.2sxb
Ios Cisco 12.2yo 12.2yo
Ios Cisco 12.2xw 12.2xw
Ios Cisco 12.3va 12.3va
Ios Cisco 12.2t 12.2t
Ios Cisco 12.2zc 12.2zc
Ios Cisco 12.0xb 12.0xb
Ios Cisco 12.2sv 12.2sv
Ios Cisco 12.2seb 12.2seb
Ios Cisco 12.3xz 12.3xz
Ios Cisco 12.2yt 12.2yt
Ios Cisco 12.4jx 12.4jx
Ios Cisco 12.2zya 12.2zya
Ios Cisco 12.0xh 12.0xh
Ios Cisco 12.0t 12.0t
Ios Cisco 12.1xw 12.1xw
Ios Cisco 12.4xg 12.4xg
Ios Cisco 12.2yl 12.2yl
Ios Cisco 12.2sed 12.2sed
Ios Cisco 12.2za 12.2za
Ios Cisco 12.2xn 12.2xn
Ios Cisco 12.2ye 12.2ye
Ios Cisco 12.1yb 12.1yb
Ios Cisco 12.2ez 12.2ez
Ios Cisco 12.4jmb 12.4jmb
Ios Cisco 12.4xv 12.4xv
Ios Cisco 12.3yd 12.3yd
Ios Cisco 12.4xw 12.4xw
Ios Cisco 12.2sr 12.2sr
Ios Cisco 12.1eb 12.1eb
Ios Cisco 12.2zb 12.2zb
Ios Cisco 12.2yg 12.2yg
Ios Cisco 12.2sva 12.2sva
Ios Cisco 12.2ex 12.2ex
Ios Cisco 12.1dc 12.1dc
Ios Cisco 12.2svd 12.2svd
Ios Cisco 12.1gb 12.1gb
Ios Cisco 12.2xu 12.2xu
Ios Cisco 12.2sbc 12.2sbc
Ios Cisco 12.2ixc 12.2ixc
Ios Cisco 12.1ex 12.1ex
Ios Cisco 12.1yi 12.1yi
Ios Cisco 12.3xl 12.3xl
Ios Cisco 12.2yr 12.2yr
Ios Cisco 12.2se 12.2se
Ios Cisco 12.1 12.1
Ios Cisco 12.0sl 12.0sl
Ios Cisco 12.1yh 12.1yh
Ios Cisco 12.3yk 12.3yk
Ios Cisco 12.0db 12.0db
Ios Cisco 12.3yf 12.3yf
Ios Cisco 12.4xd 12.4xd
Ios Cisco 12.0sz 12.0sz
Ios Cisco 12.2sec 12.2sec
Ios Cisco 12.4xp 12.4xp
Ios Cisco 12.1ec 12.1ec
Ios Cisco 12.1cx 12.1cx
Ios Cisco 12.2sb 12.2sb
Ios Cisco 12.4jda 12.4jda
Ios Cisco 12.2xm 12.2xm
Ios Cisco 12.3yt 12.3yt
Ios Cisco 12.2sy 12.2sy
Ios Cisco 12.2xk 12.2xk
Ios Cisco 12.1xh 12.1xh
Ios Cisco 12.3xb 12.3xb
Ios Cisco 12.2ixg 12.2ixg
Ios Cisco 12.2zj 12.2zj
Ios Cisco 12.0xa 12.0xa
Ios Cisco 12.3yz 12.3yz
Ios Cisco 12.4xk 12.4xk
Ios Cisco 12.1xu 12.1xu
Ios Cisco 12.0sc 12.0sc
Ios Cisco 12.2zy 12.2zy
Ios Cisco 12.0sy 12.0sy
Ios Cisco 12.3jl 12.3jl
Ios Cisco 12.2jk 12.2jk
Ios Cisco 12.3yg 12.3yg
Ios Cisco 12.1xj 12.1xj
Ios Cisco 12.3xu 12.3xu
Ios Cisco 12.2zd 12.2zd
Ios Cisco 12.3xy 12.3xy
Ios Cisco 12.2cy 12.2cy
Ios Cisco 12.3xc 12.3xc
Ios Cisco 12.4jk 12.4jk
Ios Cisco 12.4 12.4
Ios Cisco 12.2so 12.2so
Ios Cisco 12.1aa 12.1aa
Ios Cisco 12.2tpc 12.2tpc
Ios Cisco 12.0xn 12.0xn
Ios Cisco 12.2xc 12.2xc
Ios Cisco 12.2ewa 12.2ewa
Ios Cisco 12.4jl 12.4jl
Ios Cisco 12.2bc 12.2bc
Ios Cisco 12.3xe 12.3xe
Ios Cisco 12.0da 12.0da
Ios Cisco 12.1xx 12.1xx
Ios Cisco 12.4sw 12.4sw
Ios Cisco 12.0sp 12.0sp
Ios Cisco 12.2yc 12.2yc
Ios Cisco 12.3jea 12.3jea
Ios Cisco 12.2ze 12.2ze
Ios Cisco 12.3tpc 12.3tpc
Ios Cisco 12.3ja 12.3ja
Ios Cisco 12.2xs 12.2xs
Ios Cisco 12.2yp 12.2yp
Ios Cisco 12.2bw 12.2bw
Ios Cisco 12.4xa 12.4xa
Ios Cisco 12.2yy 12.2yy
Ios Cisco 12.2fx 12.2fx
Ios Cisco 12.2sz 12.2sz
Ios Cisco 12.2xi 12.2xi
Ios Cisco 12.0w 12.0w
Ios Cisco 12.3za 12.3za
Ios Cisco 12.0wc 12.0wc
Ios Cisco 12.1ey 12.1ey
Ios Cisco 12.2yu 12.2yu
Ios Cisco 12.0xm 12.0xm
Ios Cisco 12.4xe 12.4xe
Ios Cisco 12.3yx 12.3yx
Ios Cisco 12.1xd 12.1xd
Ios Cisco 12.2dx 12.2dx
Ios Cisco 12.1ez 12.1ez
Ios Cisco 12.2ixd 12.2ixd
Ios Cisco 12.2xd 12.2xd
Ios Cisco 12.2bx 12.2bx
Ios Cisco 12.3xq 12.3xq
Ios Cisco 12.2cx 12.2cx
Ios Cisco 12.2zl 12.2zl
Ios Cisco 12.4md 12.4md
Ios Cisco 12.2yq 12.2yq
Ios Cisco 12.1xq 12.1xq
Ios Cisco 12.0s 12.0s
Ios Cisco 12.2xf 12.2xf
Ios Cisco 12.0xt 12.0xt
Ios Cisco 12.1ay 12.1ay
Ios Cisco 12.2xq 12.2xq
Ios Cisco 12.2sef 12.2sef
Ios Cisco 12.2see 12.2see
Ios Cisco 12.3ys 12.3ys
Ios Cisco 12.3jk 12.3jk
Ios Cisco 12.2zf 12.2zf
Ios Cisco 12.3b 12.3b
Ios Cisco 12.2sra 12.2sra
Ios Cisco 12.3jeb 12.3jeb
Ios Cisco 12.2sm 12.2sm
Ios Cisco 12.1xf 12.1xf
Ios Cisco 12.3yh 12.3yh
Ios Cisco 12.2ya 12.2ya
Ios Cisco 12.1ew 12.1ew
Ios Cisco 12.4xb 12.4xb
Ios Cisco 12.1da 12.1da
Ios Cisco 12.4ja 12.4ja
Ios Cisco 12.2xv 12.2xv
Ios Cisco 12.2 12.2
Ios Cisco 12.1xa 12.1xa
Ios Cisco 12.0xg 12.0xg
Ios Cisco 12.2zg 12.2zg
Ios Cisco 12.3xx 12.3xx
Ios Cisco 12.0 12.0
Ios Cisco 12.1yc 12.1yc
Ios Cisco 12.4xc 12.4xc
Ios Cisco 12.2sw 12.2sw
Ios Cisco 12.3xa 12.3xa
Ios Cisco 12.3yi 12.3yi
Ios Cisco 12.0xv 12.0xv
Ios Cisco 12.2yk 12.2yk
Ios Cisco 12.2sxd 12.2sxd
Ios Cisco 12.2yz 12.2yz
Ios Cisco 12.2xa 12.2xa
Ios Cisco 12.1xt 12.1xt
Ios Cisco 12.0sx 12.0sx
Ios Cisco 12.2ixe 12.2ixe
Ios Cisco 12.0xi 12.0xi
Ios Cisco 12.1ye 12.1ye
Ios Cisco 12.3xk 12.3xk
Ios Cisco 12.1xv 12.1xv
Ios Cisco 12.2yj 12.2yj
Ios Cisco 12.2sve 12.2sve
Ios Cisco 12.2mc 12.2mc
Ios Cisco 12.1yj 12.1yj
Ios Cisco 12.2yx 12.2yx
Ios Cisco 12.2xo 12.2xo
Ios Cisco 12.2sxe 12.2sxe
Ios Cisco 12.3jx 12.3jx
Ios Cisco 12.2by 12.2by
Ios Cisco 12.2yh 12.2yh
Ios Cisco 12.2s 12.2s
Ios Cisco 12.2fz 12.2fz
Ios Cisco 12.2xt 12.2xt
Ios Cisco 12.4jma 12.4jma

Extended Description

Cross-site scripting (XSS) vulnerabilities occur when:

There are three main kinds of XSS:

Once the malicious script is injected, the attacker can perform a variety of malicious activities. The attacker could transfer private information, such as cookies that may include session information, from the victim’s machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site. Phishing attacks could be used to emulate trusted web sites and trick the victim into entering a password, allowing the attacker to compromise the victim’s account on that web site. Finally, the script could exploit a vulnerability in the web browser itself possibly taking over the victim’s machine, sometimes referred to as “drive-by hacking.” In many cases, the attack can be launched without the victim even being aware of it. Even with careful users, attackers frequently use a variety of methods to encode the malicious portion of the attack, such as URL encoding or Unicode, so the request looks less suspicious.

Potential Mitigations

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.

  • Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft’s Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.

  • Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.

  • For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters.

  • Parts of the same output document may require different encodings, which will vary depending on whether the output is in the:

  • etc. Note that HTML Entity Encoding is only appropriate for the HTML body.

  • Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed.

  • Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.

  • The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.

  • Assume all input is malicious. Use an “accept known good” input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.

  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, “boat” may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as “red” or “blue.”

  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code’s environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

  • When dynamically constructing web pages, use stringent allowlists that limit the character set based on the expected value of the parameter in the request. All input should be validated and cleansed, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. It is common to see data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.

  • Note that proper output encoding, escaping, and quoting is the most effective solution for preventing XSS, although input validation may provide some defense-in-depth. This is because it effectively limits what will appear in output. Input validation will not always prevent XSS, especially if you are required to support free-form text fields that could contain arbitrary characters. For example, in a chat application, the heart emoticon ("<3") would likely pass the validation step, since it is commonly used. However, it cannot be directly inserted into the web page because it contains the “<” character, which would need to be escaped or otherwise handled. In this case, stripping the “<” might reduce the risk of XSS, but it would produce incorrect behavior because the emoticon would not be recorded. This might seem to be a minor inconvenience, but it would be more important in a mathematical forum that wants to represent inequalities.

  • Even if you make a mistake in your validation (such as forgetting one out of 100 input fields), appropriate encoding is still likely to protect you from injection-based attacks. As long as it is not done in isolation, input validation is still a useful technique, since it may significantly reduce your attack surface, allow you to detect some attacks, and provide other security benefits that proper encoding does not address.

  • Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere.

References