SOL6916 - Case change in URL host name circumvents Accessibility Scope

2007-10-04T00:00:00
ID SOL6916
Type f5
Reporter f5
Modified 2015-03-25T00:00:00

Description

It is possible to bypass the Deny list configured in the Accessibility Scope section located on the Portal Access : Web Applications : Master Group Settings page using a URL whose hostname portion differs in case (upper vs. lower) from the URL pattern in the Deny list.

After logging in to the FirePass webtop, you can enter a URL into the webtop address bar if the FirePass Administrator has not selected the Show administrator-defined favorites only check box in the Access limitation section located on the Portal Access : Web Applications : Master Group Settings page. By entering the URL in the address bar with one or more letters in a different case from the pattern specified in the Deny list, you can bypass the Deny list and access restricted websites through Portal Access.

Additionally, FirePass encodes URLs accessed by users through Portal Access, as seen in the browser's address bar. By altering the encoded URL so that it represents a change of case in one or more characters of the hostname portion, you can circumvent the Deny lists, regardless of whether the Show administrator-defined favorites only check box is selected.

F5 Product Development tracked this issue as CR68077 and CR55068 and it was fixed in version 6.0.0. For information about upgrading, refer to the FirePass Release Notes.

Additionally, a hotfix has been issued for version 5.5.1 of FirePass software. Customers affected by this issue should contact F5 Technical Support to request the hotfix. Include the CR number and the number of this article in your correspondence. For version 5.5.2, CR68077 will be fixed in a future cumulative hotfix.

For instructions about how to obtain a hotfix, refer to SOL167: Downloading software from F5.

For instructions about installing a hotfix, refer to SOL3430: Installing hotfixes.

To view a list of the latest available hotfixes, refer to SOL10322: FirePass hotfix matrix.

Workaround

Use the Limit Web Applications Access to Intranet Favorites only feature under the Access limitation section located on the Portal Access : Web Applications : Master Group Settings page to remove the Webtop address bar. By selecting the check box, you limit users to the Portal Access Favorites configured by the FirePass Administrator.

There is no workaround to prevent a user from entering a different-case encoded URL in the browser Address bar.