SOL8280 - Cross-site scripting vulnerabilities in BIG-IP Configuration utility CVE-2008-0265

2008-01-16T00:00:00
ID SOL8280
Type f5
Reporter f5
Modified 2016-07-25T00:00:00

Description

The vulnerability is only available to authenticated users. Theoretically, a malicious site could use another tab in an admin user's browser to hit a list URL and cause the admin user's Configuration utility to render malicious JavaScript in the admin user's browser. The results are not saved beyond the user's browser.

For more Information, refer to the following two locations:

  • <http://www.securityfocus.com/bid/27272/>
  • <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0265>
  • <http://secunia.com/advisories/28505>

F5 Product Development tracked this issue as CR113089 and CR90703 and it was fixed in BIG-IP 10.0.0 and Enterprise Manager 1.6.0. For information about upgrading, refer to the BIG-IP LTM, GTM, Link Controller, ASM, WebAccelerator, or Enterprise Manager release notes.

F5 Product Development also tracked this issue as CR90703 and it was fixed for Firefox browser clients in BIG-IP 9.4.4. However, the Internet Explorer browser was still vulnerable. For information about upgrading, refer to the BIG-IP LTM, GTM, Link Controller, ASM, or WebAccelerator release notes.

Additionally, this issue was fixed for Firefox browser clients in Hotfix-BIG-IP-9.3.1-HF-2 issued for BIG-IP 9.3.1. You may download this hotfix or later versions of the hotfix from the F5 Downloads site.

To view a list of the latest available hotfixes, refer to SOL9502: BIG-IP hotfix matrix.

For information about the F5 hotfix policy, refer to SOL4918: Overview of F5 critical issue hotfix policy.

For information about managing F5 product hotfixes, refer to SOL6845: Managing F5 product hotfixes.

Workaround

To prevent a malicious site from executing this vulnerability, refrain from using a browser for more than one website when using the BIG-IP Configuration utility. Also, ensure that you close the browser after completing BIG-IP administration tasks.Â

Acknowledgements

F5 would like to acknowledge Marcin Kozlowski for his efforts in identifying this issue, and providing F5 with the initial external notification.