<<< Date Index >>>     <<< Thread Index >>>

F5 FirePass Content Inspection Management XSS



F5 FirePass Content Inspection Management XSS


Product: F5 FirePass
http://www.f5.com/products/firepass/


The F5 FirePass SSL VPN appliance provides rudimentary web request sanitization 
for resources exposed through the appliance via Portal Access. This Content 
Inspection feature can be configured and customized through the web management 
interface to optimize protection against cross-site scripting and SQL 
injection. The "XSS scripting" configuration page even prominently states the 
following:

"The FirePass can aid in preventing Cross Site Scripting attacks via vulnerable 
web servers. This is done by scanning URL arguments and form POST data sent by 
users through Web Applications, and blocking the request if it looks 
suspicious. Note that the FirePass user and admin console interfaces are 
already protected against Cross Site Scripting attacks."

Ironically these very pages contain cross-site scripting vulnerabilities. 
Specifically, parameter css_exceptions in page /vdesk/admincon/webyfiers.php 
and parameter sql_matchscope in page /vdesk/admincon/index.php are vulnerable 
due to incorrect handling of quotes. This allows an attacker to force premature 
termination of the parameter value and to inject an event handler script. This 
injection is permanent because it is embedded in the parameter value. At the 
same time it is possible to remove (also permanently) the "Update" button on 
the web form, which complicates the injection removal.


Examples:

https://(target)/vdesk/admincon/webyfiers.php?
a=css&click=1
&css_exceptions=%22+onfocus%3Dalert%28%26quot%3BXSS1%26quot%3B%29+foo%3D%22
&save_css_exceptions=Update

https://(target)/vdesk/admincon/index.php?
a=css&sub=sql
&sql_matchscope=%22+onfocus%3Dalert%28%26quot%3BXSS2%26quot%3B%29+foo%3D%22
&save_sql_matchscope=Update


The vulnerability has been identified in version 6.0.2, hotfix 3. However, 
other versions may be also affected.


Solution:
Users should not browse untrusted sites while logged into the FirePass 
management interface.


Found by:
nnposter