News
Vigil@nce: Cisco ASA, Cross Site Scripting of WebVPN
April 2009 by Vigil@nce
An attacker can generate a Cross Site Scripting in the WebVPN service of Cisco PIX/ASA.
Severity: 1/4
Consequences: client access/rights
Provenance: document
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: unique source (2/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 01/04/2009
IMPACTED PRODUCTS
- Cisco PIX/ASA Software
DESCRIPTION OF THE VULNERABILITY
The WebVPN service is used to create a secured tunnel with a web client.
The Host header of the HTTP protocol indicates the name of the server. For example, if the user clicks on the "http://server/page" url, the Host header is set to "server". This header cannot be freely set.
The WebVPN service does not filter the server name received in the Host header before displaying it in an HTML page. This error leads to a Cross Site Scripting. However, as the Host cannot be freely set, this vulnerability is hard to exploit.
CHARACTERISTICS
Identifiers: BID-34307, VIGILANCE-VUL-8584
Url: http://vigilance.fr/vulnerability/Cisco-ASA-Cross-Site-Scripting-of-WebVPN-8584
