Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Device (Router/Bridge/Hub)  >   F5 BIG-IP Vendors:   F5 Networks
F5 BIG-IP Input Validation Flaw in 'tmui/dashboard/echo.jsp' Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1030776
SecurityTracker URL:
CVE Reference:   CVE-2014-4023   (Links to External Site)
Date:  Aug 29 2014
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 11.5.1 and prior versions
Description:   A vulnerability was reported in F5 BIG-IP. A remote user can conduct cross-site scripting attacks.

The 'tmui/dashboard/echo.jsp' script does not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted request that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the BIG-IP interface and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The BIG-IP Configuration utility and the Enterprise Manager Configuration utility are affected.

The vendor has assigned ID 470796 (for BIG-IP) and ID 476101 (for Enterprise Manager) to this vulnerability.

The vendor was notified on July 8, 2014.

The original advisory is available at:

Stefan Viehbock of SEC Consult Vulnerability Lab reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the BIG-IP interface, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a fix (11.6.0).

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Input validation error

Message History:   None.

 Source Message Contents

Subject:  SEC Consult SA-20140828-0 :: F5 BIG-IP Reflected Cross-Site Scripting

Hash: SHA1

SEC Consult Vulnerability Lab Security Advisory < 20140828-0 >
              title: Reflected Cross-Site Scripting
            product: F5 BIG-IP
 vulnerable version: <= 11.5.1
      fixed version: > 11.6.0
             impact: Medium
         CVE number: CVE-2014-4023
              found: 2014-07-07
                     SEC Consult Vulnerability Lab

Vendor/product description:
- -----------------------------
"The BIG-IP product suite is a system of application delivery services that
work together on the same best-in-class hardware platform or software virtual
instance.  From load balancing and service offloading to acceleration and
are fast, secure, and available."


Vulnerability overview/description:
- -----------------------------------
BIG-IP suffers from a reflected Cross-Site Scripting vulnerability,
which allow an attacker to steal other users sessions, to impersonate other
users and to gain unauthorized access to the admin interface.

Proof of concept:
- -----------------
The following HTTP request triggers the vulnerability:

POST /tmui/dashboard/echo.jsp HTTP/1.1
Cookie: BIGIPAuthCookie=*VALID_COOKIE*
Content-Length: 29


The server does not properly encode user supplied information and returns it
to the user resulting in Cross-Site Scripting.

Vulnerable / tested versions:
- -----------------------------
More information can be found at:

Vendor contact timeline:
- ------------------------
2014-07-08: Sending advisory and proof of concept exploit via encrypted
2014-07-09: Vendor confirms receipt of advisory. States that fix will be
            released in the "next 6 weeks or so"
2014-07-24: Vendor provides CVE: CVE-2014-4023
2014-08-26: Vendor releases fixed version.
2014-08-28: SEC Consult releases a coordinated security advisory.

- ---------
Update to the newest version.

More information can be found at:

- -----------
No workaround available.

Advisory URL:
- -------------

SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15

Mail: research at sec-consult dot com

Interested in working with the experts of SEC Consult?
Write to

Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Thunderbird -


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC