For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Marc_Bergeron_5's avatar
Marc_Bergeron_5
Icon for Nimbostratus rankNimbostratus
Aug 15, 2007

Process POST data

I'm looking to patch a security issue in our application until our developers have time to do their thing, and I'm hoping to do it with iRules.     What I have is a log-in page, login.asp, that ...
application delivery
dev
devops
iRules
Marc_Bergeron_5's avatar
Marc_Bergeron_5
Icon for Nimbostratus rankNimbostratus
Aug 16, 2007
That doesn't seem to be working. I'm not well versed in regex, but there seems to be a handful of issues:

 

regsub {("&password=)(.*?)(&)?} $newPayload {\1$pw\3} newPayload

 

 

There's an extra double-quote at the beginning of the expression and the (&) only matches if the payload has variables after the password, correct? I found that removing the stray double-quote returned this payload while filtering out @ and using password 1111@: membername=marcb&password=$pw1111

 

 

If I removed the (&) constraint:

 

regsub {(&password=)(.*?)?} $newPayload {\1$pw\3} newPayload

 

 

I got this payload: membername=marcb&password=$pw

 

 

Closer, but not quite there. I need it to expect that there may be more variables, so the (&) needs to be (&|\n) or something to that effect, but I can't figure out what it should be. Next, I need to figure out why the $pw variable is printing instead of its value.

 

 

Thanks for the help.

 

 

Marc