TITLE: Cisco Clean Access Manager Obsolete JSP Files Vulnerability SECUNIA ADVISORY ID: SA18103 VERIFY ADVISORY: http://secunia.com/advisories/18103/ CRITICAL: Less critical IMPACT: DoS WHERE: >From local network SOFTWARE: Cisco Clean Access (CCA) 3.x http://secunia.com/product/5561/ DESCRIPTION: Alex Lanstein has reported a vulnerability in Cisco CAM (Clean Access Manager), which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to missing authentication on several obsolete JSP files (e.g. "/admin/uploadclient.jsp", "apply_firmware_action.jsp" and "file.jsp") that is present on the Secure Smart Manager. This can be exploited to upload files onto the affected system without requiring authentication, potentially to cause a DoS by filling up the disk space. The vulnerability has been reported in 3.5.5. Other versions may also be affected. SOLUTION: Apply patch. http://www.cisco.com/pcgi-bin/tablebuild.pl/cca-patches?psrtdcat20e2 PROVIDED AND/OR DISCOVERED BY: Alex Lanstein ORIGINAL ADVISORY: CISCO: http://www.cisco.com/warp/public/707/cisco-response-20051221-CCA.shtml Alex Lanstein: http://www.awarenetwork.org/forum/viewtopic.php?p=2236 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------