Vigil@nce: Cisco ASA, Cross Site Scripting of WebVPN
April 2009 by Vigil@nce
An attacker can generate a Cross Site Scripting in the WebVPN
service of Cisco PIX/ASA.
– Severity: 1/4
– Consequences: client access/rights
– Provenance: document
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: unique source (2/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 01/04/2009
IMPACTED PRODUCTS
- Cisco PIX/ASA Software
DESCRIPTION OF THE VULNERABILITY
The WebVPN service is used to create a secured tunnel with a web
client.
The Host header of the HTTP protocol indicates the name of the
server. For example, if the user clicks on the
"http://server/page" url, the Host header is set to "server". This
header cannot be freely set.
The WebVPN service does not filter the server name received in the
Host header before displaying it in an HTML page. This error leads
to a Cross Site Scripting. However, as the Host cannot be freely
set, this vulnerability is hard to exploit.
CHARACTERISTICS
– Identifiers: BID-34307, VIGILANCE-VUL-8584
– Url: http://vigilance.fr/vulnerability/Cisco-ASA-Cross-Site-Scripting-of-WebVPN-8584