<<< Date Index >>>     <<< Thread Index >>>

F5 BIG-IP Web Management Console XSS



F5 BIG-IP Web Management Console XSS


Product: F5 BIG-IP
http://www.f5.com/products/big-ip/


The F5 BIG-IP web management interface contains a potentially persistent 
cross-site scripting vulnerability in the "Console" feature. Output from 
executed console commands is wrapped in <t_extarea> [intentionally misspelled] 
so the content is displayed verbatim but there is no protection against forced 
premature termination of the textarea block with an injected </t_extarea> tag.

Example command output with the exploit:
</t_extarea><s_cript>....</s_cript><t_textarea>

One possible persistent exploitation is for an attacker to create a log entry 
with an embedded script that gets executed any time the corresponding log file 
is later reviewed in the Console by an administrator. It is possible to craft 
URL links that would generate a suitable log entry with a simple HTTP GET 
request. This allows the attack to be carried out remotely.


The vulnerability has been identified in version 9.4.3. However, other versions 
may be also affected.


Solution:
Do not use the web management Console feature to review logs. Use SSH CLI 
instead.


History:
2/23/08 - 1st notice sent to F5 (no response)
3/4/08  - 2nd notice sent to F5 (no response)
3/8/08  - public disclosure


Found by:
nnposter