Forum Discussion
John_Alam_45640
Historic F5 Account
The Vulnerability has to do with File upload so, no use checking every single request.
This is why my iRule on codeshare inspects the Content-Type for POST requests only.
when HTTP_REQUEST {
if { [HTTP::method] equals "POST" } {
if { not ( [HTTP::header Content-Type] equals "multipart/form-data" or [HTTP::header Content-Type] equals "application/x-www-form-urlencoded" or [HTTP::header Content-Type] equals "text/plain" ) } {
reject
log local0. "Rejecting a POST request with Content-type [HTTP::header Content-Type] to [HTTP::uri] from [IP::client_addr]"
}
}
}
One could restrict this further by matching against the URL(s) which present the upload form:
when HTTP_REQUEST {
if { [HTTP::uri] equals "" } {
if { not ( [HTTP::header Content-Type] equals "multipart/form-data" or [HTTP::header Content-Type] equals "application/x-www-form-urlencoded" or [HTTP::header Content-Type] equals "text/plain" ) } {
reject
log local0. "Rejecting a POST request with Content-type [HTTP::header Content-Type] to [HTTP::uri] from [IP::client_addr]"
}
}
}
Kai_Wilke
Mar 31, 2017MVP
This answer shouldn't be marked as answer. Its breaking applications and also not covering all attack vectors.
Cheers, Kai