Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
f5F5SOL14712
HistorySep 19, 2013 - 12:00 a.m.

SOL14712 - The BIG-IP APM access policy logout page may be vulnerable to XSS cookie tampering

2013-09-1900:00:00
support.f5.com
98
JSON

Recommended action

To eliminate this vulnerability, upgrade to a version that is listed in the Versions known to be not vulnerable column in the previous table.

To mitigate this vulnerability, you can modify the logout web page to null the specific code identified at issue. To do so, perform the following procedure:

Impact of action: Performing the following procedure should not have a negative impact on your system.

  1. Log in to the BIG-IP Configuration utility.

  2. Click Access Policy.

  3. Click Customization.

  4. ClickAdvanced****Customization.

  5. From the Edit Mode menu, selectAdvanced.

  6. Select the resource type folder for Access Profiles.

  7. Select the subfolder that shares the name of the affected access policy.

  8. Select the Logout folder.

  9. Select the logout.inc file.

  10. Locate the following line, which is typically line 40 of an unmodified logout.inc file:

var display_session = get_cookie(“LastMRH_Session”);

The entire JavaScript code appears as follows:

var display_session = get_cookie(“LastMRH_Session”);
if(null != display_session) {
document.getElementById(“sessionDIV”).innerHTML = '<BR>The session reference number: ’ + display_session + ‘<BR><BR>’;
document.getElementById(“sessionDIV”).style.visibility = “visible”;
}

  1. Place the double forward slash characters (//) in front of each line.

For example:

// var display_session = get_cookie(“LastMRH_Session”);
// if(null != display_session) {
// document.getElementById(“sessionDIV”).innerHTML = '<BR>The session reference number: ’ + display_session + ‘<BR><BR>’;
// document.getElementById(“sessionDIV”).style.visibility = “visible”;
// }

  1. Click Save Draft.
  2. Click** Save**.
  3. Click Apply Access Policy.
  4. Click** Apply Access Policy**.

Acknowledgments

F5 would like to acknowledge Tony Dimichele of BNP Paribas US for bringing this issue to our attention, and for following the highest standards of responsible disclosure.

Supplemental Information

  • SOL9970: Subscribing to email notifications regarding F5 products
  • SOL4602: Overview of the F5 security vulnerability response policy
  • SOL4918: Overview of the F5 critical issue hotfix policy
  • SOL167: Downloading software and firmware from F5
  • SOL13123: Managing BIG-IP product hotfixes (11.x)
CPENameOperatorVersion
big-ip apmle11.3.0
JSON