For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ITOPSNetwTeam_6's avatar
ITOPSNetwTeam_6
Icon for Nimbostratus rankNimbostratus
Nov 30, 2012

multipart/form-data

We have several applications which allow the customer to upload files (pdf, doc, ppt, ...) to our servers. Those uploads are performed by multipart/form-data POST requests.

 

Since a while we notice that our ASM (10.2.4 HF4 with the latest attack signatures) does detect (and block) one or another attack signature in a document being uploaded. The detected "attacks" are generic signatures such as ID 200011005, 200007001, 200100012.

 

ASM should not apply the attack signature processing to those uploaded files. I tried to achieve this by disabling the multipart HTTP Protocol Compliance checks, by defining an 'ignore value' or 'user input - binary' wildcard parameter (I tried both global and URL type), by defining an explicit URL with ignore wildcard parameter, by defining an explicit 'ignore value' parameter, ... Neither of these solved the problem.

 

Askf5 does not contain useful information on this topic. I also compared the multipart/form-data POST requests with the RFCs, and the POST syntax seems to be correct.

 

Only disabling the attack signatures helps, but this is not a scalable solution, does annoy both our customers and our business staff, and is unsecure (as the signature is then disabled for all user traffic for these applications).

 

Does anyone know a better solution for this problem?

 

Thanks,

 

Ivo

 

app sec
BIG-IP Access Policy Manager (APM)
security

2 Replies

  • Torti's avatar
    Torti
    Icon for Cirrus rankCirrus
    Nov 30, 2012
    Hi,

     

     

    we hade have the same problems in the past. So we talked with f5 support.

     

    The result is, you have to disable the detected generic signatures in the policy, if you have a file upload paramater.

     

    At the moment, I select this ones: 200011004, 200011015, 200011016, 200011018, 200011019, 200011020, 200011023, 200011026

     

    It doesn't depends on your parameter settings, because generic signatures are global policy signatures. You cannot disable them on parameter level.

     

    Is it unsecure? I dont think so. Depending on your settings, you have so many active signatures...

     

     

    regards
  • ITOPSNetwTeam_6's avatar
    ITOPSNetwTeam_6
    Icon for Nimbostratus rankNimbostratus
    Nov 30, 2012
    Thanks for your reply Torti !

     

     

    Well, I hope that F5 will improve the multipart support in a future release. In the mean time it would be nice if they would document this 'best practice' in Askf5.

     

     

     

    Regards,

     

     

    Ivo