Trustwave's SpiderLabs Security Advisory TWSL2009-002:
Cisco ASA Web VPN Multiple Vulnerabilities
Published: 2009-06-24 Version: 1.0
Vendor: Cisco Systems, Inc. (http://www.cisco.com)
Versions affected: 8.0(4), 8.1.2, and 8.2.1
Description: Cisco's Adaptive Security Appliance (ASA)
provides a number of security related features, including
"Web VPN" functionality that allows authenticated users to
access a variety of content through a web interface. This
includes other web content, FTP servers, and CIFS file
The web content is proxied by the ASA and rewritten so that
any URLs in the web content are passed as query parameters
sent to the ASA web interface. Where scripting content is
original webpage's Document Object Model (DOM), to prevent
the webpage from accessing the ASA's DOM.
Credit: David Byrne of Trustwave's SpiderLabs
Finding 1: Post-Authentication Cross-Site Scripting
The ASA's DOM wrapper can be rewritten in a manner to allow
Cross-Site Scripting (XSS) attacks. For example, the
a call to a function referenced by "CSCO_WebVPN['process']".
The result of this call is then used in an "eval" statement.
This vulnerability has been corrected in versions 126.96.36.199,
Updated Cisco ASA software can be downloaded from:
A vendor response will be posted at
http://www.cisco.com/security This vulnerability is
documented in Cisco Bug ID: CSCsy80694.
CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C
Finding 2: HTML Rewriting Bypass
When a webpage is requested through the ASA's Web VPN, the
targeted scheme and hostname is Rot13-encoded, then
hex-encoded and placed in the ASA's URL. For example,
"http://www.trustwave.com" is accessed by requesting the
following ASA path:
The HTML content of this request is obviously reformatted by
the ASA, starting at the very beginning:
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to firstname.lastname@example.org.