发布日期：2011-05-18
更新日期：2011-05-18

受影响系统：

Cisco Cisco Unified Operations Manager (CUOM) 8.5
Cisco Cisco Unified Operations Manager (CUOM) 8.0
Cisco Cisco Unified Operations Manager (CUOM) 2.3
Cisco Cisco Unified Operations Manager (CUOM) 2.2
Cisco Cisco Unified Operations Manager (CUOM) 2.1 SP1
Cisco Cisco Unified Operations Manager (CUOM) 2.0.3
Cisco Cisco Unified Operations Manager (CUOM) 2.0.2
Cisco Cisco Unified Operations Manager (CUOM) 2.0.1
Cisco Cisco Unified Operations Manager (CUOM)  2.1

不受影响系统：

Cisco Cisco Unified Operations Manager (CUOM) 8.6

描述：

---

BUGTRAQ  ID: 47898
CVE ID: CVE-2011-0960

Cisco Unified Operations Manager (CUOM)是Cisco Systems开发的语音的NMS，可实时监控所有系统元素。

Cisco Unified Operations Manager (CUOM)在处理某些SQL查询时在实现上存在多个SQL注入漏洞，远程攻击者可利用此漏洞控制受影响设备，访问或修改数据或利用其他潜在漏洞。

变量CCMs of PRTestCreation通过在延时调用后提供单引号触发盲目SQL注入：
/iptm/PRTestCreation.do?RequestSource=dashboard&MACs=&CCMs='waitfor%20d
elay'0:0:20'--&Extns=&IPs=

另外，变量ccm of  TelePresenceReportAction利用单引号可触发盲目SQL注入：/iptm/TelePresenceReportAction.do?ccm='waitfor%20delay'0:0:20'--

<*来源：Sense of Security
  
  链接：http://www.senseofsecurity.com.au/advisories/SOS-11-006.pdf
*>

建议：

---

厂商补丁：

Cisco
-----
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://www.cisco.com/warp/public/707/advisory.html

浏览次数：3273
严重程度：0（网友投票）