Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2305
Views
10
Helpful
5
Replies

ISE user import fails "...due to XSS vulnerability"

Go to solution
stephan.ochs
Level 1
Level 1

‎08-20-2021 04:04 AM

I have to import nearly 1.500 users into ISE using the import function in GUI.

The passwords are not encrypted.

If the password contains '%', I get the following error: 'Username' user Import Failed due to XSS vulnerability - (line#...)

Please don't suggest, not to use '%' in password.

I have to import them as they are.

Is there any possibilty to nest the '%' in any way (as ASCII or Unicode), so ISE will accept it?

I already tried '\0x25' and '\u0025' but both get interpreted as part of the password, not translated to '%'.

 

Or is there any possibility/tool to encrypt the passwords before importing them?

Does anyone know, how they have to be encrypted for ISE being able to decrypt it while import?  

I found some information about internal encryption with AES-CBC.

But what is about encryption/decryption ciphers for export/import?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎08-21-2021 03:29 AM

Hi @stephan.ochs,

Have you tried placing entire password between quotes in CSV, before importing it?

BR,

Milos

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Arne Bier
VIP
VIP

‎08-20-2021 11:22 PM

Hi @stephan.ochs 

 

I just tried this in ISE 2.7 patch 3 and it had no issues with password containing %

 

import2.png

 

import.PNG

0 Helpful

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎08-21-2021 03:29 AM

Hi @stephan.ochs,

Have you tried placing entire password between quotes in CSV, before importing it?

BR,

Milos

0 Helpful

Go to solution
IPTel Solutions
Level 1
Level 1
In response to Milos_Jovanovic

‎08-22-2021 12:16 AM - edited ‎08-22-2021 12:18 AM

Hi Milos


I  used Excel to edit the export from ISE. I was unaware of any quotes on string fields. Seems like a bug apparently. But I was able to import using my method. 

Go to solution
stephan.ochs
Level 1
Level 1
In response to Milos_Jovanovic

‎08-22-2021 11:31 PM

Thank you, Milos

 

This is the solution. Why didn't I come up with it myself?

Sometimes you sit in front of the solution and don't see it.

 

@Arne Bier I'm using Excel to generate the import CSV, too.

And normally Excel inserts quotes to strings when exporting to CSV.

But due to using "german" Excel, CSV have ";" instead of ",".

So I copied  the content from Excel, pasted it into a text file and replaced every tab with ",".

This is the reason why the strings had no quotes.

Small cause, big impact.

 

Thank you all and best regards

Stephan

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-21-2021 10:08 PM

Known issue -- CSCvf06752

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents