cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

231
Views
0
Helpful
3
Replies
Highlighted

cucm 12 security.XSSFilter - SQL Injection found error saving port config

Hi,

First time use of CUCM, seemingly trivial config refuses to save:

- CUCM 12.0.1.21900-7

- user webadmin (which is in groups Standard Audit Users, Standard CCM Gateway Administration, Standard CCM Super Users)

- in CUCM added 2951 Gateway

- in its "Gateway Configuration" screen, added cards:

Module in Slot 0: NM-4VWIC-MBRD

  Subunit 0: VWIC3-2MFT-G703-E1

Module in Slot 1: NM-HD-2VE

  Subunit 0: VIC3-2FXS/DID

- Clicked Save and that was OK

- then clicked Slot 0 Subunit 0's port 0/0/0, which took me to the port config screen

- set Device Pool "Default"

- clicked Save, okayed the "Click the Apply Config to have the changes take effect."

 

Gave "Access to the requested resource has been denied.". What the?

Server logs showed this, it looks like the source of the "access denied" to me:

 

./var/log/active/tomcat/logs/cui/log4j/cui00034.log:2018-05-24 15:53:09,557 ERROR [http-bio-443-exec-10] security.XSSFilter - SQL Injection found: request = /ccmadmin/gatewayT1E1PriSave.do/fkmgcp=225c6dbc-53b4-d9e5-bdd7-d8d4cb381944

 

... huh?

 

Any ideas anyone? Anyone have a test system they could try this on? Even an older version, perhaps it got broken in 12 trying to plug the security holes? I don't have an older version to try.

 

(I get the same error message trying to edit the VIC3-2FXS/DID ports but I did not look at the server logs after that one.)

 

Thanks,

Trevor

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: cucm 12 security.XSSFilter - SQL Injection found error saving port config

A fair bit of pain but we eventually got an older version, 11.0.1.10000-10, which does not give the error.

So it seems this is a bug introduced between 11.0.1.10000-10 and 12.0.1.21900-7.

 

3 REPLIES 3
VIP Mentor

Re: cucm 12 security.XSSFilter - SQL Injection found error saving port config

Hello,

 

sounds like a bug...can you upgrade to 12.1. ?

Re: cucm 12 security.XSSFilter - SQL Injection found error saving port config

A fair bit of pain but we eventually got an older version, 11.0.1.10000-10, which does not give the error.

So it seems this is a bug introduced between 11.0.1.10000-10 and 12.0.1.21900-7.

 

Re: cucm 12 security.XSSFilter - SQL Injection found error saving port config

Um, looking on Cisco website in "https://software.cisco.com/download/home/286313357/type" latest I can see is Release 12.0(1) which is what we have (we have the latest update mentioned in that page)?

 

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards