Sunday, March 24, 2013
Tuesday, March 5, 2013
SQLi in Cisco.com
Its been a while.
Nothing much going to bubbling here :/
Just want to share with you guys with my recent finding on Cisco. There's a SQLi bug in one of their application.
The bug exist at the forgotpassword page in one of their public application which I bet quite important.The parameter affected is UserName
The error appear once we put a single quote (')
We can use Blind SQLi Technique on this. :)
Disclosure :
Found date - 19/12/2012
Reported date - 20/12/2012
Vendor responded but no news after 31/12/2012 (busy with holiday?)
Again reported - 18/02/2013
CSIRT Team replied - 19/02/2013
Bug fixed - 01/03/2013
Public disclosure - 06/03/2013