Forum Discussion
4 Replies
Sort By
Hi Robinchien,
you need to either create a whitelist containing your allowed
request-header values (most secure but sligthly difficult approach) or black-list certain characters (e.g.Content-Type
,@
,.
,,
,
or(
) and attack-patterns (e.g.)
,ognl
,memberaccess
,getruntime
), which will unlikely used by your application but required to pulloff the s2-045 remote execution (less secure but easy to implement).exec
Whitelist approach:
when HTTP_REQUEST { switch -exact -- [string tolower [HTTP::header value "Content-Type"]] { "" - "multipart/form-data" - "text/xml; charset=utf-8" - "application/x-www-form-urlencoded" { Allow request with empty or white listed "Content-Type" headers } default { Reject request with unknown "Content-Type" headers reject } } }
Blacklist approach:
when HTTP_REQUEST { switch -glob -- [string tolower [HTTP::header value "Content-Type"]] { "*@*" - "**" - "*.*" - "*,*" - "*(*" - "*)*" - "*ognl*" - "*memberaccess*" - "*getruntime*" - "*exec*" { Reject requests with suspicious "Content-Type" headers reject } default { Allow request with unsuspicious "Content-Type" headers } } }
Cheers, Kai
- John_Alam_45640Historic F5 Account
The Vulnerability has to do with File upload so, no use checking every single request.
This is why my iRule on codeshare inspects the Content-Type for POST requests only.
when HTTP_REQUEST { if { [HTTP::method] equals "POST" } { if { not ( [HTTP::header Content-Type] equals "multipart/form-data" or [HTTP::header Content-Type] equals "application/x-www-form-urlencoded" or [HTTP::header Content-Type] equals "text/plain" ) } { reject log local0. "Rejecting a POST request with Content-type [HTTP::header Content-Type] to [HTTP::uri] from [IP::client_addr]" } } }
One could restrict this further by matching against the URL(s) which present the upload form:
when HTTP_REQUEST { if { [HTTP::uri] equals "" } { if { not ( [HTTP::header Content-Type] equals "multipart/form-data" or [HTTP::header Content-Type] equals "application/x-www-form-urlencoded" or [HTTP::header Content-Type] equals "text/plain" ) } { reject log local0. "Rejecting a POST request with Content-type [HTTP::header Content-Type] to [HTTP::uri] from [IP::client_addr]" } } }
This answer shouldn't be marked as answer. Its breaking applications and also not covering all attack vectors.
Cheers, Kai
- JGCumulonimbus
There is now an official fix: Final - K43451236: Apache Struts 2 vulnerability CVE-2017-5638.