cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1677
Views
10
Helpful
5
Replies

ISE user import fails "...due to XSS vulnerability"

stephan.ochs
Beginner
Beginner

I have to import nearly 1.500 users into ISE using the import function in GUI.

The passwords are not encrypted.

If the password contains '%', I get the following error: 'Username' user Import Failed due to XSS vulnerability - (line#...)

Please don't suggest, not to use '%' in password.

I have to import them as they are.

Is there any possibilty to nest the '%' in any way (as ASCII or Unicode), so ISE will accept it?

I already tried '\0x25' and '\u0025' but both get interpreted as part of the password, not translated to '%'.

 

Or is there any possibility/tool to encrypt the passwords before importing them?

Does anyone know, how they have to be encrypted for ISE being able to decrypt it while import?  

I found some information about internal encryption with AES-CBC.

But what is about encryption/decryption ciphers for export/import?

1 Accepted Solution

Accepted Solutions

Milos_Jovanovic
VIP Engager VIP Engager
VIP Engager

Hi @stephan.ochs,

Have you tried placing entire password between quotes in CSV, before importing it?

BR,

Milos

View solution in original post

5 Replies 5

Arne Bier
VIP Advisor VIP Advisor
VIP Advisor

Hi @stephan.ochs 

 

I just tried this in ISE 2.7 patch 3 and it had no issues with password containing %

 

import2.png

 

import.PNG

Milos_Jovanovic
VIP Engager VIP Engager
VIP Engager

Hi @stephan.ochs,

Have you tried placing entire password between quotes in CSV, before importing it?

BR,

Milos

Hi Milos


I  used Excel to edit the export from ISE. I was unaware of any quotes on string fields. Seems like a bug apparently. But I was able to import using my method. 

Thank you, Milos

 

This is the solution. Why didn't I come up with it myself?

Sometimes you sit in front of the solution and don't see it.

 

@Arne Bier I'm using Excel to generate the import CSV, too.

And normally Excel inserts quotes to strings when exporting to CSV.

But due to using "german" Excel, CSV have ";" instead of ",".

So I copied  the content from Excel, pasted it into a text file and replaced every tab with ",".

This is the reason why the strings had no quotes.

Small cause, big impact.

 

Thank you all and best regards

Stephan

hslai
Cisco Employee
Cisco Employee

Known issue -- CSCvf06752

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers