Forum Discussion

Zdenda's avatar
Zdenda
Icon for Cirrus rankCirrus
Aug 19, 2019

TCL code injection - eval in proxy-pass rule

Hi there,

I've been searching through proxypass rule wheter it's vulnerable to TCL code injection and I am unsure about this one:

 

..
set stream_expression_cmd "STREAM::expression \"@$host_serverside$path_serverside@$host_clientside$path_clientside@ @$path_serverside@$path_clientside@\""
} else {
set stream_expression_cmd "STREAM::expression \"@$host_serverside$path_serverside@$host_clientside$path_clientside@\""
.
.
eval $stream_expression_cmd
..

 

 

It's only eval which works with user input ([HTTP::uri], [HTTP::host] through variables $host_clientside and $path_clientside.

My question is, do you think eval would process some script/commands provided via [HTTP::uri] if it's going through STREAM::expression?

Without STREAM probably yes, but with STREAM, I am not sure.

 

Thanks,

Zdenek

 

 

 

2 Replies

  • Noone is working on same case? TCL injection is quite big and proxy-pass irules are used quite a lot.

  • Hi Zdenek,

     

    I suggest you open a case with F5 Support to get an official response. If you do and it gets stuck, can you email me (aaron at f5 dot com) and I'll try to help.

     

    Thanks, Aaron