F5 BIG-IP Web Management Audit Log XSS
F5 BIG-IP Web Management Audit Log XSS
Product: F5 BIG-IP
http://www.f5.com/products/big-ip/
The F5 BIG-IP web management interface contains a persistent cross-site
scripting vulnerability in the audit log facility. Log entries are output raw,
without being HTML-encoded first. This allows an attacker to create a log entry
with an embedded script that gets executed any time the audit log is later
reviewed by an administrator.
One of several exploit vectors is to create a node object with a script
embedded in the node name. The creation will fail due to unsupported characters
but an audit log entry still gets created. Other confirmed entry points are
sysContact and sysLocation on the SNMP configuration page.
It is possible to craft URL links that would generate a suitable log entry with
a simple HTTP GET request. This allows the attack to be carried out remotely.
The vulnerability has been identified in version 9.4.3. However, other versions
may be also affected.
Solution:
Do not use the web management interface to review audit logs. Use SSH CLI
instead.
Found by:
nnposter