Vigil@nce - F5 BIG-IP APM: Clickjacking of Access Policy Logon
October 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can trigger a Clickjacking in Access Policy Logon of
F5 BIG-IP APM, in order to perform operations in the context of
the web site.
Impacted products: BIG-IP Appliance
Severity: 2/4
Creation date: 19/09/2013
DESCRIPTION OF THE VULNERABILITY
The F5 BIG-IP APM product offers a web service.
However, the Access Policy Logon page does not check if mouse
clicks originate from the same page.
An attacker can therefore trigger a Clickjacking in Access Policy
Logon of F5 BIG-IP APM, in order to perform operations in the
context of the web site.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/F5-BIG-IP-APM-Clickjacking-of-Access-Policy-Logon-13449