var-200606-0246
Vulnerability from variot
The internal database in Cisco Wireless Control System (WCS) for Linux and Windows before 3.2(63) stores a hard-coded username and password in plaintext within unspecified files, which allows remote authenticated users to access the database (aka bug CSCsd15951). Cisco Wireless Control System is prone to multiple security vulnerabilities. The following issues have been disclosed: - Authorization-bypass vulnerability due to multiple hardcoded username and password pairs - Arbitrary file access vulnerability - Cross-site scripting vulnerability - Information-disclosure vulnerability An attacker can exploit these issues to retrieve potentially sensitive information, overwrite files, perform cross-site scripting attacks, and gain unauthorized access; other attacks are also possible.
Reverse Engineer Wanted
Secunia offers a Security Specialist position with emphasis on reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports.
http://secunia.com/secunia_security_specialist/
TITLE: Cisco Wireless Control System Multiple Vulnerabilities
SECUNIA ADVISORY ID: SA20870
VERIFY ADVISORY: http://secunia.com/advisories/20870/
CRITICAL: Moderately critical
IMPACT: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access
WHERE:
From remote
SOFTWARE: Cisco Wireless Control System (WCS) 1.x http://secunia.com/product/6332/
DESCRIPTION: Some vulnerabilities and a security issue have been reported in Cisco Wireless Control System (WCS), which can be exploited by malicious, local users to gain knowledge of sensitive information, and by malicious people to gain knowledge of sensitive information, conduct cross-site scripting attacks, bypass certain security restrictions and potentially compromise a vulnerable system.
1) An undocumented username and hard-coded password exists in the WCS. This can be exploited to connect to the WCS internal database and to gain access to the configuration information of managed wireless access points.
The security issue has been reported in WCS for Linux and Windows 3.2(40) and prior.
2) Undocumented database username and password are stored in clear text in several WCS files. This can potentially be exploited by local users to gain knowledge of the user credentials and to gain access to the database.
The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior.
3) An error within the internal TFTP server allows reading from or writing to arbitrary locations in the filesystem of a WCS system.
Successful exploitation requires that the configured root directory of the TFTP server contains a space character.
The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior.
4) Input passed to the unspecified parameter in login page is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior.
5) An access control error within the WCS HTTP server can be exploited to gain access to certain directories, which may contain sensitive information like WCS usernames and directory paths.
The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior.
Note: It has also been reported that WCS for Linux and Windows 4.0(1) and prior are installed with a default administrator username root, with a default password of public.
SOLUTION: Update to WCS for Linux and Windows 3.2(63) or later. http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Default administrator passwords should be changed after installation.
PROVIDED AND/OR DISCOVERED BY: Reported by vendor.
ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060628-wcs.shtml
About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200606-0246",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "wireless control system",
"scope": "lte",
"trust": 1.0,
"vendor": "cisco",
"version": "3.2\\(51\\)"
},
{
"model": "wireless control system",
"scope": "eq",
"trust": 0.6,
"vendor": "cisco",
"version": "3.2\\(51\\)"
},
{
"model": "wireless control system software",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4.0"
},
{
"model": "wireless control system software",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "3.2"
}
],
"sources": [
{
"db": "BID",
"id": "18701"
},
{
"db": "CNNVD",
"id": "CNNVD-200606-572"
},
{
"db": "NVD",
"id": "CVE-2006-3286"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Cisco Security bulletin",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200606-572"
}
],
"trust": 0.6
},
"cve": "CVE-2006-3286",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2006-3286",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 1.0,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-19394",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2006-3286",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-200606-572",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-19394",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-19394"
},
{
"db": "CNNVD",
"id": "CNNVD-200606-572"
},
{
"db": "NVD",
"id": "CVE-2006-3286"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The internal database in Cisco Wireless Control System (WCS) for Linux and Windows before 3.2(63) stores a hard-coded username and password in plaintext within unspecified files, which allows remote authenticated users to access the database (aka bug CSCsd15951). Cisco Wireless Control System is prone to multiple security vulnerabilities. \nThe following issues have been disclosed:\n- Authorization-bypass vulnerability due to multiple hardcoded username and password pairs\n- Arbitrary file access vulnerability\n- Cross-site scripting vulnerability\n- Information-disclosure vulnerability\nAn attacker can exploit these issues to retrieve potentially sensitive information, overwrite files, perform cross-site scripting attacks, and gain unauthorized access; other attacks are also possible. \n\n----------------------------------------------------------------------\n\nReverse Engineer Wanted\n\nSecunia offers a Security Specialist position with emphasis on\nreverse engineering of software and exploit code, auditing of\nsource code, and analysis of vulnerability reports. \n\nhttp://secunia.com/secunia_security_specialist/\n\n----------------------------------------------------------------------\n\nTITLE:\nCisco Wireless Control System Multiple Vulnerabilities\n\nSECUNIA ADVISORY ID:\nSA20870\n\nVERIFY ADVISORY:\nhttp://secunia.com/advisories/20870/\n\nCRITICAL:\nModerately critical\n\nIMPACT:\nSecurity Bypass, Cross Site Scripting, Exposure of system\ninformation, Exposure of sensitive information, System access\n\nWHERE:\n\u003eFrom remote\n\nSOFTWARE:\nCisco Wireless Control System (WCS) 1.x\nhttp://secunia.com/product/6332/\n\nDESCRIPTION:\nSome vulnerabilities and a security issue have been reported in Cisco\nWireless Control System (WCS), which can be exploited by malicious,\nlocal users to gain knowledge of sensitive information, and by\nmalicious people to gain knowledge of sensitive information, conduct\ncross-site scripting attacks, bypass certain security restrictions\nand potentially compromise a vulnerable system. \n\n1) An undocumented username and hard-coded password exists in the\nWCS. This can be exploited to connect to the WCS internal database\nand to gain access to the configuration information of managed\nwireless access points. \n\nThe security issue has been reported in WCS for Linux and Windows\n3.2(40) and prior. \n\n2) Undocumented database username and password are stored in clear\ntext in several WCS files. This can potentially be exploited by local\nusers to gain knowledge of the user credentials and to gain access to\nthe database. \n\nThe vulnerability has been reported in WCS for Linux and Windows\n3.2(51) and prior. \n\n3) An error within the internal TFTP server allows reading from or\nwriting to arbitrary locations in the filesystem of a WCS system. \n\nSuccessful exploitation requires that the configured root directory\nof the TFTP server contains a space character. \n\nThe vulnerability has been reported in WCS for Linux and Windows\n3.2(51) and prior. \n\n4) Input passed to the unspecified parameter in login page is not\nproperly sanitised before being returned to the user. This can be\nexploited to execute arbitrary HTML and script code in a user\u0027s\nbrowser session in context of an affected site. \n\nThe vulnerability has been reported in WCS for Linux and Windows\n3.2(51) and prior. \n\n5) An access control error within the WCS HTTP server can be\nexploited to gain access to certain directories, which may contain\nsensitive information like WCS usernames and directory paths. \n\nThe vulnerability has been reported in WCS for Linux and Windows\n3.2(51) and prior. \n\nNote: It has also been reported that WCS for Linux and Windows 4.0(1)\nand prior are installed with a default administrator username root,\nwith a default password of public. \n\nSOLUTION:\nUpdate to WCS for Linux and Windows 3.2(63) or later. \nhttp://www.cisco.com/public/sw-center/sw-usingswc.shtml\n\nDefault administrator passwords should be changed after installation. \n\nPROVIDED AND/OR DISCOVERED BY:\nReported by vendor. \n\nORIGINAL ADVISORY:\nhttp://www.cisco.com/warp/public/707/cisco-sa-20060628-wcs.shtml\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2006-3286"
},
{
"db": "BID",
"id": "18701"
},
{
"db": "VULHUB",
"id": "VHN-19394"
},
{
"db": "PACKETSTORM",
"id": "47889"
}
],
"trust": 1.35
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "BID",
"id": "18701",
"trust": 2.0
},
{
"db": "NVD",
"id": "CVE-2006-3286",
"trust": 2.0
},
{
"db": "SECUNIA",
"id": "20870",
"trust": 1.8
},
{
"db": "OSVDB",
"id": "26883",
"trust": 1.7
},
{
"db": "VUPEN",
"id": "ADV-2006-2583",
"trust": 1.7
},
{
"db": "SECTRACK",
"id": "1016398",
"trust": 1.7
},
{
"db": "CISCO",
"id": "20060628 MULTIPLE VULNERABILITIES IN WIRELESS CONTROL SYSTEM",
"trust": 0.6
},
{
"db": "XF",
"id": "27438",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-200606-572",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-19394",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "47889",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-19394"
},
{
"db": "BID",
"id": "18701"
},
{
"db": "PACKETSTORM",
"id": "47889"
},
{
"db": "CNNVD",
"id": "CNNVD-200606-572"
},
{
"db": "NVD",
"id": "CVE-2006-3286"
}
]
},
"id": "VAR-200606-0246",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-19394"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T21:57:36.788000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2006-3286"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.1,
"url": "http://www.cisco.com/warp/public/707/cisco-sa-20060628-wcs.shtml"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/18701"
},
{
"trust": 1.7,
"url": "http://www.osvdb.org/26883"
},
{
"trust": 1.7,
"url": "http://securitytracker.com/id?1016398"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/20870"
},
{
"trust": 1.1,
"url": "http://www.vupen.com/english/advisories/2006/2583"
},
{
"trust": 1.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/27438"
},
{
"trust": 0.6,
"url": "http://www.frsirt.com/english/advisories/2006/2583"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/27438"
},
{
"trust": 0.3,
"url": "http://www.cisco.com/en/us/products/sw/voicesw/ps4625/index.html"
},
{
"trust": 0.3,
"url": "/archive/1/438590"
},
{
"trust": 0.1,
"url": "http://secunia.com/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/6332/"
},
{
"trust": 0.1,
"url": "http://secunia.com/about_secunia_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "http://secunia.com/secunia_security_specialist/"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/public/sw-center/sw-usingswc.shtml"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/20870/"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-19394"
},
{
"db": "BID",
"id": "18701"
},
{
"db": "PACKETSTORM",
"id": "47889"
},
{
"db": "CNNVD",
"id": "CNNVD-200606-572"
},
{
"db": "NVD",
"id": "CVE-2006-3286"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-19394"
},
{
"db": "BID",
"id": "18701"
},
{
"db": "PACKETSTORM",
"id": "47889"
},
{
"db": "CNNVD",
"id": "CNNVD-200606-572"
},
{
"db": "NVD",
"id": "CVE-2006-3286"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2006-06-28T00:00:00",
"db": "VULHUB",
"id": "VHN-19394"
},
{
"date": "2006-06-28T00:00:00",
"db": "BID",
"id": "18701"
},
{
"date": "2006-06-29T18:48:34",
"db": "PACKETSTORM",
"id": "47889"
},
{
"date": "2006-06-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200606-572"
},
{
"date": "2006-06-28T23:05:00",
"db": "NVD",
"id": "CVE-2006-3286"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-07-20T00:00:00",
"db": "VULHUB",
"id": "VHN-19394"
},
{
"date": "2007-06-04T19:50:00",
"db": "BID",
"id": "18701"
},
{
"date": "2006-06-30T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200606-572"
},
{
"date": "2024-11-21T00:13:15.417000",
"db": "NVD",
"id": "CVE-2006-3286"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200606-572"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Cisco Wireless control system unknown WCS file Input validation vulnerability",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200606-572"
}
],
"trust": 0.6
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "lack of information",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200606-572"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.