Cisco SQL Injection

`  
Hello,  
  
VSR independently discovered this SQL injection flaw (CVE-2011-1610)  
and reported it to Cisco on November 11, 2010. Since we had very  
limited time to preform testing on the product, and because Cisco  
informed us that another researcher had reported the same flaw shortly  
before us, we decided not to write a formal advisory.  
  
However, I would like to add some additional technical information for  
those who need to test for this flaw to determine if they are  
vulnerable.   
  
During our tests on version 7.1.3.32900-4 of the product, we found  
that SQL query errors generated by attacks causes the vulnerable JSP  
script to return no records, but does not present any error message.  
To confirm the injection existed, the result from the following two  
query URLs were compared:  
  
/ccmcip/xmldirectorylist.jsp?f=vsr'||0/1%20OR%201=1))%20--  
  
/ccmcip/xmldirectorylist.jsp?f=vsr'||1/0%20OR%201=1))%20--  
  
The first URL returns a very large record set (likely all user  
records) while the second query returns no records. The only  
difference between the two being the order in which '0' and '1' appear  
in the query, with the latter generating a divide-by-zero error. It  
is likely that a simpler test case can be developed, but this is what  
we came up with during very limited testing. We did not explore  
injections on the l and n parameters.  
  
Thank you,  
tim  
  
http://www.vsecurity.com/  
  
`