Security issue - Oracle Identity System Administration login screen is exposed to public

Hi

You should be able to put all of the logic into the HTTP_REQUEST event, something like...

when HTTP_REQUEST {
	if { [string tolower [HTTP::uri]] starts_with "/restricted-uri" }{
	if {not [IP::addr [IP::client_addr] equals 10.0.0.0/8]} {
		drop
		}
	}
}

Hi

No, just combine the networks with a logical OR.

If the number of networks starts to get too unwieldy or you want to edit the networks regularly then you could use a Data Group to do a lookup

when HTTP_REQUEST {
	if { [string tolower [HTTP::uri]] starts_with "/restricted-uri" }{
	if { not ( [IP::addr [IP::client_addr] equals 192.168.0.0/16]) || ( [IP::addr [IP::client_addr] equals 10.0.0.0/8])} {
		drop
		}
	}
}

Thank you VM.

What IP address have the external clients got when they hit the VIP - are you natting them to an internal IP...?

Hi iaine,

I think the irule does not work due syntax error.

My portal (URL) is https://blabla.com//sysadmin/faces/signin

So i wrote the following.Please advise if the bold type (URI) fields are correct.

when CLIENT_ACCEPTED {

if {not [IP::addr [IP::client_addr] equals 10.0.40.0/24]} {

               log local0. "[IP::client_addr] does not match 10.0.40.0/24 AND access URI = /sysadmin/faces/signin"

set static::drop_notallowed 1

}

}

when HTTP_REQUEST {

if { [string tolower [HTTP::uri]] starts_with "https://blabla.com/sysadmin/faces/signin" }{

if {$static::drop_notallowed==1}{

drop

}

}

}

Hi

You don't need the CLIENT_ACCEPTED event to look for the IP and the HTTP::URI command in the HTTP_REQUEST should start from / rather than include http:// etc.

So your code would look something like

when HTTP_REQUEST {
 
if { [string tolower [HTTP::uri]] starts_with "/sysadmin/faces/signin"}{
 
	if {not [IP::addr [IP::client_addr] equals 10.0.40.0/24]} {
		drop
		}
	}
}

Still not working.

Where\How can i see the logs regarding this rule???

I need to find out why .

here's a couple of log lines to hopefully help. logs will go to /var/log/ltm or the Local Traffic tab in the Logs section of the GUI

when HTTP_REQUEST {
 
if { [string tolower [HTTP::uri]] starts_with "/sysadmin/faces/signin"}{
	log local0. "URI is [HTTP::uri] - IP Address is [IP::client_addr]"
 
	if {not [IP::addr [IP::client_addr] equals 10.0.40.0/24]} {
		log local0. "Dropping the connection from [IP::client_addr]"
		drop
		}
	}
}

Thanks VM

I will try it ASAP

Reverting ...