ID

VAR-200606-0153

CVE

CVE-2006-3073

TITLE

Cisco VPN3K/ASA WebVPN Clientless mode Multiple Cross-Site Scripting Vulnerabilities

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in the WebVPN feature in the Cisco VPN 3000 Series Concentrators and Cisco ASA 5500 Series Adaptive Security Appliances (ASA), when in WebVPN clientless mode, allow remote attackers to inject arbitrary web script or HTML via the domain parameter in (1) dnserror.html and (2) connecterror.html, aka bugid CSCsd81095 (VPN3k) and CSCse48193 (ASA). NOTE: the vendor states that "WebVPN full-network-access mode" is not affected, despite the claims by the original researcher. The issue is due to insufficient sanitization of HTML and script code from error messages that are displayed to users. This vulnerability could result in the execution of attacker-supplied HTML and script code in the session of a victim user. In the worst-case scenario, the attacker could gain unauthorized access to the VPN by stealing the WebVPN session cookie. Cisco tracks this issue as Bug IDs CSCsd81095 and CSCse48193. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. Input passed in the URL isn't properly sanitised before being returned to the user in the "dnserror.html" and the "connecterror.html" pages. Successful exploitation requires that clientless mode of the WebVPN feature is enabled. SOLUTION: Filter malicious characters and character sequences in a proxy or firewall with URL filtering capabilities. PROVIDED AND/OR DISCOVERED BY: The vendor credits Michal Zalewski and two other users. ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046708.html Cisco: http://www.cisco.com/warp/public/707/cisco-sr-20060613-webvpn-xss.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

xss

EXTERNAL IDS

REFERENCES

CREDITS

Discovery is credited to Michal Zalewski.

SOURCES

LAST UPDATE DATE

2024-08-14T14:00:16.311000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE