Forum Discussion
CirrusContent-Type header in body
Hello guys, I have an application that behaves not really RFC compliant, crafting request with Content-Type header after a CRLF. The request is a multipart/form-data.
ASM is then considering this as a block of data and parsing it the wrong way.
I am preparing to set an exception for this, and would like to set the best one. I'm thinking of URL+ method= signatures exceptions (until news one may appears and may require no signatures check at all)
Thanks a lot for any share of experience.
samstep_81205Nimbostratus
RFC violation is pretty serious and the risks are quite high - just Google for "CRLF Injection" to see the dangers of such attacks.
You should really speak to application developers to get them to fix this and remove the CRLF injection vulnerability. If fixing the application code is not possible then you need to very carefully consider the exception - you might need to do it with an iRule and only allow the exception from Trusted IP address rather than the whole Internet.
samstepCirrocumulus
RFC violation is pretty serious and the risks are quite high - just Google for "CRLF Injection" to see the dangers of such attacks.
You should really speak to application developers to get them to fix this and remove the CRLF injection vulnerability. If fixing the application code is not possible then you need to very carefully consider the exception - you might need to do it with an iRule and only allow the exception from Trusted IP address rather than the whole Internet.