F5 FirePass Content Inspection Management XSS
F5 FirePass Content Inspection Management XSS
Product: F5 FirePass
http://www.f5.com/products/firepass/
The F5 FirePass SSL VPN appliance provides rudimentary web request sanitization
for resources exposed through the appliance via Portal Access. This Content
Inspection feature can be configured and customized through the web management
interface to optimize protection against cross-site scripting and SQL
injection. The "XSS scripting" configuration page even prominently states the
following:
"The FirePass can aid in preventing Cross Site Scripting attacks via vulnerable
web servers. This is done by scanning URL arguments and form POST data sent by
users through Web Applications, and blocking the request if it looks
suspicious. Note that the FirePass user and admin console interfaces are
already protected against Cross Site Scripting attacks."
Ironically these very pages contain cross-site scripting vulnerabilities.
Specifically, parameter css_exceptions in page /vdesk/admincon/webyfiers.php
and parameter sql_matchscope in page /vdesk/admincon/index.php are vulnerable
due to incorrect handling of quotes. This allows an attacker to force premature
termination of the parameter value and to inject an event handler script. This
injection is permanent because it is embedded in the parameter value. At the
same time it is possible to remove (also permanently) the "Update" button on
the web form, which complicates the injection removal.
Examples:
https://(target)/vdesk/admincon/webyfiers.php?
a=css&click=1
&css_exceptions=%22+onfocus%3Dalert%28%26quot%3BXSS1%26quot%3B%29+foo%3D%22
&save_css_exceptions=Update
https://(target)/vdesk/admincon/index.php?
a=css&sub=sql
&sql_matchscope=%22+onfocus%3Dalert%28%26quot%3BXSS2%26quot%3B%29+foo%3D%22
&save_sql_matchscope=Update
The vulnerability has been identified in version 6.0.2, hotfix 3. However,
other versions may be also affected.
Solution:
Users should not browse untrusted sites while logged into the FirePass
management interface.
Found by:
nnposter