Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

F5 FirePass Content Inspection Management XSS

From: nnposter () disclosed not
Date: 5 Jun 2008 14:09:57 -0000
F5 FirePass Content Inspection Management XSS


Product: F5 FirePass
http://www.f5.com/products/firepass/


The F5 FirePass SSL VPN appliance provides rudimentary web request sanitization for resources exposed through the 
appliance via Portal Access. This Content Inspection feature can be configured and customized through the web 
management interface to optimize protection against cross-site scripting and SQL injection. The "XSS scripting" 
configuration page even prominently states the following:

"The FirePass can aid in preventing Cross Site Scripting attacks via vulnerable web servers. This is done by scanning 
URL arguments and form POST data sent by users through Web Applications, and blocking the request if it looks 
suspicious. Note that the FirePass user and admin console interfaces are already protected against Cross Site Scripting 
attacks."

Ironically these very pages contain cross-site scripting vulnerabilities. Specifically, parameter css_exceptions in 
page /vdesk/admincon/webyfiers.php and parameter sql_matchscope in page /vdesk/admincon/index.php are vulnerable due to 
incorrect handling of quotes. This allows an attacker to force premature termination of the parameter value and to 
inject an event handler script. This injection is permanent because it is embedded in the parameter value. At the same 
time it is possible to remove (also permanently) the "Update" button on the web form, which complicates the injection 
removal.


Examples:

https://(target)/vdesk/admincon/webyfiers.php?
a=css&click=1
&css_exceptions=%22+onfocus%3Dalert%28%26quot%3BXSS1%26quot%3B%29+foo%3D%22
&save_css_exceptions=Update

https://(target)/vdesk/admincon/index.php?
a=css&sub=sql
&sql_matchscope=%22+onfocus%3Dalert%28%26quot%3BXSS2%26quot%3B%29+foo%3D%22
&save_sql_matchscope=Update


The vulnerability has been identified in version 6.0.2, hotfix 3. However, other versions may be also affected.


Solution:
Users should not browse untrusted sites while logged into the FirePass management interface.


Found by:
nnposter
Previous By Date Next
Previous By Thread Next

Current thread: