| F5 FirePass 4100 SSL VPN Cross-Site Scripting Vulnerabilities |
|
|
|
| Por Marcelo Almeida (Vympel) | |
| 03 de dezembro de 2007 | |
|
Some vulnerabilities have been reported in F5 FirePass 4100 SSL VPN,
which can be exploited by malicious people to conduct cross-site
scripting attacks. Input passed via the URL to my.activation.php3 and my.logon.php3 is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerabilities are reported in FirePass versions 5.4.1 to 5.5.2 and FirePass versions 6.0 to 6.0.1. Solution: The vendor has issued cumulative hotfix HF-601-6 for version 6.0.1: https://support.f5.com/kb/en-us/solutions/public/7000/900/SOL7923.html Filter malicious characters and character sequences in a web proxy. Provided and/or discovered by: Adrian Pastor, Jan Fry, and Richard Brain of ProCheckUp Ltd. Original Advisory: F5: https://support.f5.com/kb/en-us/solutions/public/7000/900/SOL7923.html Procheckup Ltd: http://www.procheckup.com/Vulnerability_PR07-14.php http://www.procheckup.com/Vulnerability_PR07-15.php |
| < Anterior | Próximo > |
|---|
