lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 11 Jun 2009 14:34:52 +0200
From: "Sjoerd Resink" <>
To: <>, <>
Subject: F5 FirePass Cross-Site Scripting vulnerability

Vulnerability discovered: May 01, 2009
Reported to vendor: May 14, 2009
Fix available: May 28, 2009

F5 Networks FirePass SSL VPN controller provides secure access to
corporate applications and data using a standard web browser. More
information can be found at:

Fox-IT discovered a Cross-Site Scripting vulnerability in the F5
Networks FirePass SSL VPN controller. No authentication is required to
exploit this vulnerability.

This vulnerability can be used to execute arbitrary JavaScript code on
the computer of a user as if it genuinely originated from the target
domain. In order to do this, an attacker would have to lure the user
into visiting a specially prepared URL. Pages can be modified in such a
way that any data entered into password fields will not only be sent to
the F5 FirePass appliance, but also to the attacker. More advanced
exploits of XSS also enable attackers to abuse the user's computer as a
stepping stone for launching further attacks on the user's internal

F5 Networks has released Cumulative HotFix-603-3 for FirePass to address
this vulnerability. More information about obtaining and installing this
patch can be found at:

Thanks to F5 Networks for their quick response regarding this issue.

Original report at
rtikel/f5-firepass-cross-site-scripting-vulnerability/106. Details will
be released in the near future.

Powered by blists - more mailing lists