For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Justin_48142's avatar
Justin_48142
Icon for Nimbostratus rankNimbostratus
Apr 10, 2008

Block URI with /dev60cgi from external client_addr

Hello,

 

 

I'm new to F5/iRules and I have a requirement to block external ip's from invoking any /dev60cgi/f60cgi URI call that doesn't include the string 'DRECSINHIST' or 'DRECSFFEDBF'. The iRule should do the following:

 

 

1) detect if IP::client_addr is external by reading from a data class ($::approved_clients)

 

2) if IP::client_addr is internal, then it will LB to the pool associated with the virtual

 

3) if IP::client_addr is external, then it will check for /dev60cgi/f60cgi in the URI

 

4) if 3 = true, then the iRule will look for 'DRECSINHIST' or 'DRECSFFEDBF' in the URI string

 

5) if URI strings contains 'DRECSINHIST' or 'DRECSFFEDBF' then LB to the pool associated with the virtual, else display an HTTP response that says "no forms access allowed to external client ip's"

 

 

Here's what I've come up with to address these requirements. Everthing seems to work except the part where the HTTP::respond streams HTML back to the requesting client. The iRule effectively determines if the IP::client_addr is external/internal and blocks invocations to any forms that aren't in our approved forms list, but it fails to display any type of response...the broswer just hangs indefinitely.

 

 

when HTTP_REQUEST {

 

if { not [matchclass [IP::client_addr] equals $::approved_clients] } {

 

if {[HTTP::uri] contains "/dev60cgi/f60cgi"} {

 

if { not [matchclass [HTTP::uri] contains $::approved_forms] } {

 

log local0. "URI requested by [IP::client_addr] blocked"

 

log local0. "URI requested = [HTTP::uri]"

 

HTTP::respond 200 content "ErrorError No Access to forms via external address"

 

}

 

}

 

}

 

}

 

 

Any thoughts?

 

 

iRule newbie...
application delivery
dev
devops
iRules

3 Replies

  • Justin_48142's avatar
    Justin_48142
    Icon for Nimbostratus rankNimbostratus
    Apr 10, 2008
    FYI...here's what the LTM log shows when someone accesses an unauthorized form from an external ip address

     

     

    Thu Apr 10 16:28:12 CDT 2008 tmm tmm[1661] Rule oracle_formservlet_filter HTTP_REQUEST: URI requested = /dev60cgi/f60cgi?appletmode=nonformsHTMLpageTitle=HTMLpreApplet=code=oracle/apps/fnd/formsClient/FormsLauncher.classwidth=400height=100archive=/OA_JAVA/oracle/apps/fnd/jar/fndforms.jar,/OA_JAVA/oracle/apps/fnd/jar/fndformsi18n.jar,/OA_JAVA/oracle/apps/fnd/jar/fndewt.jar,/OA_JAVA/oracle/apps/fnd/jar/fndswing.jar,/OA_JAVA/oracle/apps/fnd/jar/fndbalishare.jar,/OA_JAVA/oracle/apps/fnd/jar/fndaol.jar,/OA_JAVA/oracle/apps/fnd/jar/fndctx.jar,/OA_JAVA/oracle/apps/fnd/jar/fndlist.jargp14=jinit_appletcachegv14=offjinit_appletcache=offgp2=resp_appgv2=FNDgp3=respgv3=APPLICATION_DEVELOPERgp4=sec_groupgv4=STANDARDgp5=functiongv5=FND_FNDPOMPOgp6=other_paramsgv6=gp7=forms_urlgv7=https3A2F2Fhostname.domainname.com3A4432Fpls2Fnaoatst12Ffnd_icx_launch.runforms3FICX_TICKET3D26resp_app3DFND26resp_key3DAPPLICATION_DEVELOPER26secgrp_key3DSTANDARD26start_func3DFND_FNDPOMPO26other_params3Dencoding=UTF-8gp8=error_urlgv

     

    Thu Apr 10 16:28:12 CDT 2008 tmm tmm[1661] Rule oracle_formservlet_filter HTTP_REQUEST: URI requested by 66.xxx.xxx.xxx blocked
  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Apr 10, 2008
    Did you try to switch browsers like say I.E. vs Firefox? Just a simple test to rule out the browser.

     

  • Justin_48142's avatar
    Justin_48142
    Icon for Nimbostratus rankNimbostratus
    Apr 11, 2008
    I figured it out. I'm using the same logic as before, but now I'm searching for a different string (had to uses wireshark on a non-ssl server to figure this out)

     

     

    when HTTP_REQUEST {

     

    if { not [matchclass [IP::client_addr] equals $::approved_clients] } {

     

    if {[HTTP::uri] contains "/fnd_icx_launch.runforms"} {

     

    if { not [matchclass [HTTP::uri] contains $::approved_forms] } {

     

    log local0. "URI requested by [IP::client_addr] blocked"

     

    log local0. "URI requested = [HTTP::uri]"

     

    HTTP::respond 200 content "ErrorError No Access to forms via external address"

     

    HTTP::redirect "http://somewhere.com"

     

    }

     

    }

     

    }

     

    }

     

     

     

    Here's the key string

     

     

    GET /pls/dbname/fnd_icx_launch.runforms?ICX_TICKET=&resp_app=CSFCUST&resp_key=DRES_ASO_RESP&secgrp_key=STANDARD&start_func=DRECSFFEDBF&other_params= HTTP/1.1

     

    Accept: */*

     

    Accept-Language: en-us

     

    Accept-Encoding: gzip, deflate

     

    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)

     

    Host: hostname.domainname.com

     

    Connection: Keep-Alive

     

    Cookie: oracle.uix=0^^GMT-5:00^p; oracle.uix=0^^GMT-5:00^p; BIGipServerdbname_http_pool=2759328266.29215.0000; JServSessionIdroot=gs9z80d911.qRjIa34MsAXIngPAcBbPpx0LaBDJpAiHnwTyqAjNqQjM/AbJphCLbxiKa0--; dbserver_dbname=fFXMJKIYaHBAets8D7_X5Q0h:S

     

     

    HTTP/1.0 302 Found

     

    Date: Thu, 10 Apr 2008 22:25:45 GMT

     

    Server: Oracle HTTP Server Powered by Apache/1.3.19

     

    Location: http://hostname.domainname.com/dev60cgi/f60cgi?lang=US&env=NLS_LANG='AMERICAN_AMERICA.UTF8'+FORMS60_USER_DATE_FORMAT='DD-MON-RRRR'+FORMS60_USER_DATETIME_FORMAT='DD-MON-RRRR%20HH24%3AMI%3ASS'+NLS_DATE_LANGUAGE='AMERICAN'+NLS_SORT='BINARY'+NLS_NUMERIC_CHARACTERS='.,'&form_params=+config='dbserver_dbname'+icx_ticket='.A5yJBWacW3TQ7ScPm3ElNw..'+resp='CSFCUST%2FDRES_ASO_RESP'+secgrp='STANDARD'+start_func='DRECSFFEDBF'&encoding=UTF-8

     

    Content-Type: text/plain