[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

F5 BIGIP - (OLD!) Persistent XSS in ASM Module

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: F5 BIGIP - (OLD!) Persistent XSS in ASM Module
From: jplopezy@xxxxxxxxx
Date: Tue, 2 Dec 2014 20:34:14 GMT

Description
-----------


The f5 is a "load balancer" which has several modules, one of them called ASM 
works as a WAF (firewall application). The asm allow create security policy
to protect a web site for example.

For it have some methods

Create a policy automatically (recommended) <- BAD IDEA
Create a policy manually or use templates (advanced)
Create a policy for XML and web services manually
Create a policy using third party vulnerability assessment tool output


The problems is when create a policy automatically :

Select Create a policy automatically if you want the Application Security 
Manager to build a security policy automatically. 
This option is good for production traffic or for a QA environment. The policy 
building process can take a few days, depending on the number of requests sent 
and the size of the website.

When you select this option, any user that join in to the site ( user or web 
security scanner) send request true and fakes and the app start to learn all 
uri,parameter,value ( true or false)

For this reason is that happend the problem, the app start learning all request 
that the users or web scanner send in the case of web scanner some times this 
software send trash like invalid parameter or attacks

The asm module learn this data and the problems happends!.


Vulnerability
-------------

The bug is in the file pl_tree.php, and send this request to a site that have a 
"policiy automatically"  /127.0.0.1/~<img src="test" onclick="alert('XSS')">, 
when you send this request (in some cases) go to
Allowed URL Properties ( some cases go to disable if the stating time is 
disabled, in automatic is default 7 days)

So, if the admin of this policy go to Security  ??  Application Security : 
Security Policies : Active Policies and open the policy and click on Tree View, 
the xss run, in this case this payload need click but there are others vectors.


Check image : http://postimg.org/image/7f8i3m139/

all end in a persistent/store xss that allow steal cookies or others vectors 
like get info.


Conclusion
---------

Is important a hotfix, but for prevent this type of attack not use policy 
automatically.

regards


Version :

Hotfix-BIGIP-11.3.0-HF8-3144.158

Prev by Date: ESA-2014-160: RSA® Adaptive Authentication (On-Premise) Authentication Bypass Vulnerability
Next by Date: [SECURITY] [DSA 3085-1] wordpress security update
Previous by thread: ESA-2014-160: RSA® Adaptive Authentication (On-Premise) Authentication Bypass Vulnerability
Next by thread: [SECURITY] [DSA 3085-1] wordpress security update
Index(es):
- Date
- Thread