VSR independently discovered this SQL injection flaw (CVE-2011-1610) and reported it to Cisco on November 11, 2010. Since we had very limited time to preform testing on the product, and because Cisco informed us that another researcher had reported the same flaw shortly before us, we decided not to write a formal advisory. However, I would like to add some additional technical information for those who need to test for this flaw to determine if they are vulnerable. During our tests on version 220.127.116.11900-4 of the product, we found that SQL query errors generated by attacks causes the vulnerable JSP script to return no records, but does not present any error message. To confirm the injection existed, the result from the following two query URLs were compared: /ccmcip/xmldirectorylist.jsp?f=vsr'||0/1%20OR%201=1))%20-- /ccmcip/xmldirectorylist.jsp?f=vsr'||1/0%20OR%201=1))%20-- The first URL returns a very large record set (likely all user records) while the second query returns no records. The only difference between the two being the order in which '0' and '1' appear in the query, with the latter generating a divide-by-zero error. It is likely that a simpler test case can be developed, but this is what we came up with during very limited testing. We did not explore injections on the l and n parameters.
LINK TO OUR HOME PAGE :