Forum Discussion
Gustavo_Lazarte
Nimbostratus
NimbostratusSecurity Header too long http 1.0
I got the following error on the server.
Synopsis : Arbitrary code may be run on the remote server. Description : It was possible to kill
the web server by sending an invalid request with a too long HTTP 1.0 header (From,
If-Modified-Since, Referer or Content-Type). This vulnerability could be exploited to crash the
web server. It might even be possible to execute arbitrary code on your system. ** As this is a
generic test, it is not possible to know if the impact ** is limited to a denial of service.
On the HTTP profile you can set up the size of the header but in HTTPS client I am not able. Is there a way to do this with iRUles or some other option on the f5
Thanks
hoolioCirrostratus
You must decrypt the HTTPS using a client SSL profile in order to inspect/modify the HTTP content. Be aware that the maximum header size in the HTTP profile does not affect the actual requests/responses. The value is just used to determine how many bytes to allocate for buffering header values. The online help shows this:
Maximum Header Size
Specifies the maximum amount of HTTP header data that the system buffers before making a load balancing decision. The default is 32,000 bytes.
If you want to modify LTM's handling of long headers, you could use an iRule. Of course, this assumes the traffic is either HTTP or decrypted HTTPS.
(Modified from http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=32156)when HTTP_REQUEST { Loop through each header name foreach header {[HTTP::header names]}{ Check if header length is greater than 32768 bytes if {[string length [HTTP::header value $header]] > 32768} { Log header details log local0. "Header exceeds 32768! Header Name: $header, Length: [string length [HTTP::header $header]],\ Client: [IP::client_addr], User-Agent: [HTTP::header User-Agent], Value: [HTTP::header $header]" Send a 400 response HTTP::respond 400 content "Header value too longHeader value too long" Close the TCP connection TCP::close } } }
Keep in mind that that this rule checks every request header's length. It would add load to LTM. If you know that there are just a few headers you want to check, you can limit the checks to those:when HTTP_REQUEST { Loop through each header name foreach header {From If-Modified-Since Referer Content-Type}{ Check if header length is greater than 32768 bytes if {[string length [HTTP::header value $header]] > 32768} { Log header details log local0. "Header exceeds 32768! Header Name: $header, Length: [string length [HTTP::header $header]],\ Client: [IP::client_addr], User-Agent: [HTTP::header User-Agent], Value: [HTTP::header $header]" Send a 400 response HTTP::respond 400 content "Header value too longHeader value too long" Close the TCP connection TCP::close } } }
Aaron