lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 2 Dec 2014 20:34:14 GMT
From: jplopezy@...il.com
To: bugtraq@...urityfocus.com
Subject: F5 BIGIP - (OLD!)  Persistent XSS in ASM Module


Description
-----------


The f5 is a "load balancer" which has several modules, one of them called ASM works as a WAF (firewall application). The asm allow create security policy
to protect a web site for example.

For it have some methods

Create a policy automatically (recommended) <- BAD IDEA
Create a policy manually or use templates (advanced)
Create a policy for XML and web services manually
Create a policy using third party vulnerability assessment tool output


The problems is when create a policy automatically :

Select Create a policy automatically if you want the Application Security Manager to build a security policy automatically. 
This option is good for production traffic or for a QA environment. The policy building process can take a few days, depending on the number of requests sent and the size of the website.

When you select this option, any user that join in to the site ( user or web security scanner) send request true and fakes and the app start to learn all uri,parameter,value ( true or false)

For this reason is that happend the problem, the app start learning all request that the users or web scanner send in the case of web scanner some times this software send trash like invalid parameter or attacks

The asm module learn this data and the problems happends!.


Vulnerability
-------------

The bug is in the file pl_tree.php, and send this request to a site that have a "policiy automatically"  /127.0.0.1/~<img src="test" onclick="alert('XSS')">, when you send this request (in some cases) go to
Allowed URL Properties ( some cases go to disable if the stating time is disabled, in automatic is default 7 days)

So, if the admin of this policy go to Security  ››  Application Security : Security Policies : Active Policies and open the policy and click on Tree View, the xss run, in this case this payload need click but there are others vectors.


Check image : http://postimg.org/image/7f8i3m139/

all end in a persistent/store xss that allow steal cookies or others vectors like get info.


Conclusion
---------

Is important a hotfix, but for prevent this type of attack not use policy automatically.

regards


Version :

Hotfix-BIGIP-11.3.0-HF8-3144.158

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ