A January 2007 security advisory describes several security issues present in some versions of FirePass software. One section in the document, titled ACL Filter bypass with URL de-normalization, states that Portal Access ACL filters can be bypassed if a user appends a trailing NULL byte after the requested URL. At this time, F5 has not received supporting documentation for this claim. Additionally, after testing and code review, F5 has not reproduced this issue.
At this time, F5 does not consider the FirePass controller to be vulnerable to the scenario described in the advisory.
Information about this advisory is available at the following location: