Forum Discussion

Gustavo_Lazarte's avatar
Gustavo_Lazarte
Icon for Nimbostratus rankNimbostratus
Feb 20, 2009

Security Header too long http 1.0

I got the following error on the server.

 

 

 

 

Synopsis : Arbitrary code may be run on the remote server. Description : It was possible to kill

 

the web server by sending an invalid request with a too long HTTP 1.0 header (From,

 

If-Modified-Since, Referer or Content-Type). This vulnerability could be exploited to crash the

 

web server. It might even be possible to execute arbitrary code on your system. ** As this is a

 

generic test, it is not possible to know if the impact ** is limited to a denial of service.

 

 

On the HTTP profile you can set up the size of the header but in HTTPS client I am not able. Is there a way to do this with iRUles or some other option on the f5

 

 

Thanks
application delivery
dev
devops
iRules

1 Reply

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Feb 23, 2009
    You must decrypt the HTTPS using a client SSL profile in order to inspect/modify the HTTP content. Be aware that the maximum header size in the HTTP profile does not affect the actual requests/responses. The value is just used to determine how many bytes to allocate for buffering header values. The online help shows this:

    Maximum Header Size

    Specifies the maximum amount of HTTP header data that the system buffers before making a load balancing decision. The default is 32,000 bytes.

    If you want to modify LTM's handling of long headers, you could use an iRule. Of course, this assumes the traffic is either HTTP or decrypted HTTPS.

    (Modified from http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=32156) 

     
 when HTTP_REQUEST { 
  
     Loop through each header name 
    foreach header {[HTTP::header names]}{  
  
        Check if header length is greater than 32768 bytes 
       if {[string length [HTTP::header value $header]] > 32768} {  
  
           Log header details 
          log local0. "Header exceeds 32768! Header Name: $header, Length: [string length [HTTP::header $header]],\ 
     Client: [IP::client_addr], User-Agent: [HTTP::header User-Agent], Value: [HTTP::header $header]"  
  
           Send a 400 response 
  HTTP::respond 400 content "Header value too longHeader value too long" 
  
           Close the TCP connection 
          TCP::close 
       }  
    }  
 }

    Keep in mind that that this rule checks every request header's length. It would add load to LTM. If you know that there are just a few headers you want to check, you can limit the checks to those: 

     
 when HTTP_REQUEST { 
  
     Loop through each header name 
    foreach header {From If-Modified-Since Referer Content-Type}{  
  
        Check if header length is greater than 32768 bytes 
       if {[string length [HTTP::header value $header]] > 32768} {  
  
           Log header details 
          log local0. "Header exceeds 32768! Header Name: $header, Length: [string length [HTTP::header $header]],\ 
     Client: [IP::client_addr], User-Agent: [HTTP::header User-Agent], Value: [HTTP::header $header]"  
  
           Send a 400 response 
  HTTP::respond 400 content "Header value too longHeader value too long" 
  
           Close the TCP connection 
          TCP::close 
       }  
    }  
 }

    Aaron