Forum Discussion
Martin_Vlasko
Altocumulus
AltocumulusPortal Access Security Problem - Manipulation with HEX string in URL mangle allows access to any internal website!! How to restrict?
Hi,
We are running simple Portal Access policy on our APM, which provides authenticated external users an access to our public web site located behind the APM, basically a simple reverse proxy with authentication.
The URL rewrite works as expected:
URL of internal web site: https://public.mycompany.com/logon.asp
URL for external users: https://apm.company.com/f5-w-[HEX-String]$$/logon.asp
I realized that when I swap the [HEX-String] part of the external URL with another HEX string (representing URL of other internal web site, for example http://intranet.company.com) I gain access to this intranet web site, although as a remote user I am not allowed to access anything else except "public.mycompany.com".
Is this a bug or standard behavior? How can I restrict the access to only one particular web site?
How can I prevent the rewritten URL to be changed by external user and misused for accessing other internal websites?Thanks for hints.
Yann_DesmarestCirrus
You can configure L7 ACLs or L4+L7 ACLs on APM and assign ACLs to your VPE.
Pay attention, there is bug with L4 ACLs :
http://support.f5.com/kb/en-us/solutions/public/14000/200/sol14219.html?sr=39702705
boneyardMVP
yep ACLs are the way to go, i still feel F5 should make this more clear in the documentation and make APM a default deny device like the LTM behaves. a standard deny all ACL in the end would accomplish this.
Martin_VlaskoThank you guys for both answers, I will try the ACL as you suggested.
But do you think this is an expected behavior of the APM or should this be reported to F5 support as a security bug?- boneyard
i would say report it as a security bug. then again i know they will say it is expected behaviour. but if enough people report this it might change their mind and at least give some more attention to it.