Trustwave's SpiderLabs Security Advisory TWSL2009-002: Cisco ASA Web VPN Multiple Vulnerabilities Published: 2009-06-24 Version: 1.0 Vendor: Cisco Systems, Inc. ( Versions affected: 8.0(4), 8.1.2, and 8.2.1 Description: Cisco's Adaptive Security Appliance (ASA) provides a number of security related features, including "Web VPN" functionality that allows authenticated users to access a variety of content through a web interface. This includes other web content, FTP servers, and CIFS file servers. The web content is proxied by the ASA and rewritten so that any URLs in the web content are passed as query parameters sent to the ASA web interface. Where scripting content is present, the ASA places a JavaScript wrapper around the original webpage's Document Object Model (DOM), to prevent the webpage from accessing the ASA's DOM. Credit: David Byrne of Trustwave's SpiderLabs Finding 1: Post-Authentication Cross-Site Scripting CVE: CVE-2009-1201 The ASA's DOM wrapper can be rewritten in a manner to allow Cross-Site Scripting (XSS) attacks. For example, the "csco_wrap_js" JavaScript function in /+CSCOL+/cte.js makes a call to a function referenced by "CSCO_WebVPN['process']". The result of this call is then used in an "eval" statement. function csco_wrap_js(str) { var ret=" Vendor Response: This vulnerability has been corrected in versions, and Updated Cisco ASA software can be downloaded from: A vendor response will be posted at This vulnerability is documented in Cisco Bug ID: CSCsy80694. CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C Base: 4.3 Temporal: 3.9 Finding 2: HTML Rewriting Bypass CVE: CVE-2009-1202 When a webpage is requested through the ASA's Web VPN, the targeted scheme and hostname is Rot13-encoded, then hex-encoded and placed in the ASA's URL. For example, "" is accessed by requesting the following ASA path: /+CSCO+0075676763663A2F2F6A6A6A2E67656866676A6E69722E70627A+ +/ The HTML content of this request is obviously reformatted by the ASA, starting at the very beginning: