CVE-2007-6704

Vulnerability

Multiple cross-site scripting (XSS) vulnerabilities exist in F5 FirePass 4100 SSL VPN versions 5.4.1 through 5.5.2 and 6.0 through 6.0.1. The flaws reside in the my.activation.php3 and my.logon.php3 scripts, which reflect user-supplied input from the query string without proper sanitization. The vulnerable code path is reachable only when pre-logon sequences are enabled [1].

Exploitation

An attacker can exploit these vulnerabilities remotely without authentication. The attack requires user interaction: the victim must either click a specially crafted URL or visit a malicious page that triggers a request to the vulnerable script. For example, a URL such as https://target.tld/my.activation.php3?">HTML_injection_test<!-- injects arbitrary HTML and JavaScript into the response. A more sophisticated attack can load external JavaScript via an ` and the name` attribute [1].

Impact

Successful exploitation allows an attacker to execute arbitrary script in the victim's browser within the security context of the F5 FirePass domain. This can lead to non-persistent defacement of the login page, theft of session cookies or admin session IDs, and redirection of confidential information to third parties. The CVSS base score is 2.6 (low), with partial integrity impact and no confidentiality or availability impact [1].

Mitigation

No official patch is mentioned in the available references. Disabling pre-logon sequences may reduce the attack surface. Administrators should monitor F5's support portal for a security update and consider upgrading to a fixed version if one becomes available. The affected versions are now likely end-of-life, so upgrading to a supported release is recommended [1].