F5 BIG-IP Web Management Console XSS


Product: F5 BIG-IP
http://www.f5.com/products/big-ip/


The F5 BIG-IP web management interface contains a potentially persistent cross-site scripting vulnerability in the "Console" feature. Output from executed console commands is wrapped in <t_extarea> [intentionally misspelled] so the content is displayed verbatim but there is no protection against forced premature termination of the textarea block with an injected </t_extarea> tag.

Example command output with the exploit:
</t_extarea><s_cript>....</s_cript><t_textarea>

One possible persistent exploitation is for an attacker to create a log entry with an embedded script that gets executed any time the corresponding log file is later reviewed in the Console by an administrator. It is possible to craft URL links that would generate a suitable log entry with a simple HTTP GET request. This allows the attack to be carried out remotely.


The vulnerability has been identified in version 9.4.3. However, other versions may be also affected.


Solution:
Do not use the web management Console feature to review logs. Use SSH CLI instead.


History:
2/23/08 - 1st notice sent to F5 (no response)
3/4/08  - 2nd notice sent to F5 (no response)
3/8/08  - public disclosure


Found by:
nnposter