SOL6924 - Insertion of special characters in URL path circumvents Accessibility Scope and Access Control Lists

2007-01-08T00:00:00
ID SOL6924
Type f5
Reporter f5
Modified 2015-03-25T00:00:00

Description

It is possible to bypass the Deny list, configured in the Accessibility Scope section located on the Portal Access: Web Applications: Master Group Settings page, by inserting certain special characters into a URL path. In FirePass version 6.0, this issue also applies to the Deny list configured under the Access Control Lists section of the Portal Access: Web Applications: Resources page.

When you log in to the FirePass Webtop, you can enter a URL into the Webtop Address Bar if the FirePass Administrator has not checked the Show administrator-defined favorites only box in the Access limitation section located on the Portal Access: Web Applications: Master Group Settings page. By entering the URL in the address bar with certain characters placed at specific locations in the path portion of the URL, you can bypass patterns in the Deny lists and access restricted web sites through Portal Access.

Additionally, FirePass encodes URLs accessed by users through Portal Access, as seen in the browser's address bar. By altering the encoded URL so that it uses these special characters in the correct locations of the path, a user can circumvent the Deny lists, regardless of whether the Show administrator-defined favorites only box is checked.

F5 Product Development is tracking this issue as CR71703 for feature release 6.0.0 and CR71813 for maintenance release 5.5.2.

Additionally, a hotfix has been issued for certain versions of FirePass. Customers affected by this issue should contact F5 Technical Support to request the hotfix, referencing the CR number and the number of this article. For version 6.0.0, this issue was fixed in cumulative hotfix 600-8, and for version 5.5.2, this issue was fixed in cumulative hotfix 552-2. You may download these hotfixes or a later version of the cumulative hotfixes from the F5 Downloads site.

For instructions about how to obtain a hotfix, refer to SOL167: Downloading software from F5. For instructions on installing a hotfix, refer to SOL3430: Installing hotfixes.

Workaround

You can use the Limit Web Applications Access to Intranet Favorites only feature under the Access limitation section located on the Portal Access: Web Applications: Master Group Settings page to remove the address bar on the Webtop. By checking the box, you limit users to the Portal Access Favorites configured by the FirePass Administrator.

There is no workaround to prevent a user from entering these characters into the URL in the browser address bar.

Acknowledgement

F5 would like to acknowledge Michael Ligh (http://mnin.org) and Greg Sinclair (security@nnlsoftware.com) for their efforts in identifying this issue.