For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

John_Alam_45640's avatar
John_Alam_45640
Historic F5 Account
Mar 09, 2017

The Vulnerability has to do with File upload so, no use checking every single request.

This is why my iRule on codeshare inspects the Content-Type for POST requests only.

Here.

    when HTTP_REQUEST {
      if { [HTTP::method] equals "POST" } {

            if { not ( [HTTP::header Content-Type] equals "multipart/form-data" or [HTTP::header Content-Type] equals "application/x-www-form-urlencoded" or [HTTP::header Content-Type] equals "text/plain" ) } {
                reject
                log local0. "Rejecting a POST request with Content-type [HTTP::header Content-Type]  to  [HTTP::uri]  from  [IP::client_addr]"
            }
      }
}

One could restrict this further by matching against the URL(s) which present the upload form: 

when HTTP_REQUEST {
      if { [HTTP::uri] equals "" } {

            if { not ( [HTTP::header Content-Type] equals "multipart/form-data" or [HTTP::header Content-Type] equals "application/x-www-form-urlencoded" or [HTTP::header Content-Type] equals "text/plain" ) } {
                reject
                log local0. "Rejecting a POST request with Content-type [HTTP::header Content-Type]  to  [HTTP::uri]  from  [IP::client_addr]"
            }
      }
}
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Mar 31, 2017

    This answer shouldn't be marked as answer. Its breaking applications and also not covering all attack vectors.

     

    Cheers, Kai