For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Bertrand_8797's avatar
Bertrand_8797
Icon for Nimbostratus rankNimbostratus
Apr 04, 2013

Strange behaviour when adding header with ICAP

Hi all,

 

I m under an issue (bug or not) on ICAP with ASM.

 

My configuration is following:

 

Client -> VS -> ASM -> ICAP(a HTTP header is added) -> F5 -> JBOSS.

 

Version: 11.2.1

 

I have the problem when my client is trying to upload a infected file(EICAR for our tests) on my application.

 

ASM forwards to ICAP which is analysing the file with McAfee AV. Is the file is infected, a header X-Virus-Name is added. adn get back to F5 and to JBOSS next.

 

The issue is:

 

The header is correctly inserted from ICAP but when the F5 forwards HTTP request to JBOSS this header is not.

 

 

From ICAP:ICAP/1.0 200 OK•

 

ISTag: QuarantaineIcapServer•

 

Encapsulated: req-hdr=0, req-body=1199•

 

 

POST /jboss-negotiation-toolkit-jaspic/Upload HTTP/1.1•

 

Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/Referer: https://**********************•

 

Accept-Language: fr•

 

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET Content-Type: multipart/form-data; boundary=---------------------------7dd19a3a88061c•

 

Accept-Encoding: gzip, deflate•

 

Host: ***************•

 

Content-Length: 347•

 

Connection: Keep-Alive•

 

Cache-Control: no-cache•

 

Cookie: JSESSIONID=uwEESSGTVDdsvOhN7OEjHouJ; JSESSIONID=uwEESSGTVDdsvOhN

 

7OEjHouJ; TSbad918=4fec7bde0bc32bf583d7341015fdba8a36d06b6060daa249515c296760ac0ec5aeb6f89b; LastMRH_X-Virus-Name: Virus d?tect?•

 

 

F5 to JBOSS:

 

OST /jboss-negotiation-toolkit-jaspic/Upload HTTP/1.1•

 

Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/Referer: https://****************************•

 

Accept-Language: fr•

 

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET Content-Type: multipart/form-data; boundary=---------------------------7dd19a3a88061c•

 

Accept-Encoding: gzip, deflate•

 

Host: ***************************•

 

Content-Length: 347•

 

Connection: Keep-Alive•

 

Cache-Control: no-cache•

 

Cookie: JSESSIONID=uwEESSGTVDdsvOhN7OEjHouJ; JSESSIONID=uwEESSGTVDdsvOhN7OEjHouJ; TSbad918=4fec7bde0bc32bf583d7341015fdba8a36d06b6060daa249515c296760ac0ec5aeb6f8

 

9b; LastMRH_Session=14a65085; F5_ST=1,1,1,1364998245,604800; TS4d6d6d=ed3422aa94e0252793248f73b09700da36d06b6060daa249515c3e5d60ac0ec5aeb6f89b

 

 

As you can see the header X-Virus-Name was deleted when the POST go back to JBOSS.

 

 

Thanks for your help

 

 

config
design
No RepliesBe the first to reply