Vigil@nce: Cisco ASA, HTTP Response Splitting
July 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
An attacker can invite the victim to click on a malicious url, in
order to inject HTTP headers in the reply of the Cisco ASA web
site.
– Severity: 2/4
– Creation date: 28/06/2010
DESCRIPTION OF THE VULNERABILITY
The web administrative interface of Cisco ASA listens on the port
443 (https/SSL). When the user connects to the port 80, he is
automatically redirected to the port 443.
For example, if the client requests:
GET http://asa/
then, the server returns:
HTTP/1.0 301 Moved Permanently
Location: https://asa/
However, this reply is built from the query without filtering line
feeds. So, if the client for example requests:
GET http://asa/[line_feed]Location: http://attacker/
then, the server returns:
HTTP/1.0 301 Moved Permanently
Location: https://asa/
Location: http://attacker/
The user is thus redirected to the attacker’s web site.
An attacker can therefore invite the victim to click on a
malicious url, in order to inject HTTP headers in the reply of the
Cisco ASA web site.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Cisco-ASA-HTTP-Response-Splitting-9730