CVE-2008-2637

Vulnerability

F5 FirePass SSL VPN version 6.0.2 hotfix 3 and possibly earlier versions contain multiple stored cross-site scripting (XSS) vulnerabilities in the Content Inspection Management interface. The css_exceptions parameter in /vdesk/admincon/webyfiers.php and the sql_matchscope parameter in /vdesk/admincon/index.php incorrectly handle quote characters, allowing an attacker to inject arbitrary web script or HTML [1], [2].

Exploitation

An attacker needs network access to the FirePass management interface (typically on an internal network or via the internet if exposed). No authentication is required. The attacker crafts a URL containing a single quote (") followed by an event handler (e.g., onfocus) and other JavaScript code. The injection is stored permanently in the parameter value because the application reflects the unsanitized input back to the page. The attack can also remove the "Update" button to complicate cleanup [2].

Impact

A successful attack results in arbitrary script execution in the context of the administrator's browser session when the affected pages are viewed. This can lead to session hijacking, defacement, or theft of administrative credentials. The stored nature of the injection means every subsequent admin accessing the configuration page will trigger the payload [2].

Mitigation

As of the publication date (2008-06-10) no official patch or fixed version has been announced. The vendor (F5 Networks) has not released a security advisory or update for this issue. Workarounds include restricting network access to the management interface and carefully reviewing user-supplied parameters. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1], [2].