F5 BIG-IP Web Management Console XSS
F5 BIG-IP Web Management Console XSS
Product: F5 BIG-IP
http://www.f5.com/products/big-ip/
The F5 BIG-IP web management interface contains a potentially persistent
cross-site scripting vulnerability in the "Console" feature. Output from
executed console commands is wrapped in <t_extarea> [intentionally misspelled]
so the content is displayed verbatim but there is no protection against forced
premature termination of the textarea block with an injected </t_extarea> tag.
Example command output with the exploit:
</t_extarea><s_cript>....</s_cript><t_textarea>
One possible persistent exploitation is for an attacker to create a log entry
with an embedded script that gets executed any time the corresponding log file
is later reviewed in the Console by an administrator. It is possible to craft
URL links that would generate a suitable log entry with a simple HTTP GET
request. This allows the attack to be carried out remotely.
The vulnerability has been identified in version 9.4.3. However, other versions
may be also affected.
Solution:
Do not use the web management Console feature to review logs. Use SSH CLI
instead.
History:
2/23/08 - 1st notice sent to F5 (no response)
3/4/08 - 2nd notice sent to F5 (no response)
3/8/08 - public disclosure
Found by:
nnposter