Forum Discussion

Luca_Comes's avatar
Sep 13, 2019

Double Sostitution Vulnerability

Hi all,

today I'm focusing on the double sostitution vulnerability explained here https://support.f5.com/csp/article/K15650046 and reviewing my code but it's not clear to me what I should change or check. For example a simple script like this:

 

when HTTP_REQUEST {

if { [HTTP::host] equals "mysite.domain.com" } {

switch -glob [string tolower [HTTP::uri]] {

URI_1 {some action}

URI_2 {some action}

default {default action}

}

}

}

 

Is it secure or not? Because from the description I can understand that expressions should be always closed inside curly braces to avoid double sostitution but BigIP doesn't permit to create the same script without braces. So I'm not really sure I have to check all my code.

 

Thank you in advance

 

Luca

2 Replies

  • I recently spent some time evaluating that as well. And I agree that at a glance it is not very clear what the problem is or how to mitigate it. Some more practical examples with different common TCL commands would help a lot I think.

    Personally I came to the conclusion that unless we specifically run untrusted input through eval, subst or similar commands which are specifically designed to execute code OR deliberately violate basic TCL coding best practises, we should be fine.

     

    In your example the if condition is braced, which is good. If you wanted to make it unsafe, you'd have to do something like

    if "$unsafevariable eq \"string\"" {... } # DO NOT USE

    This is certainly not a syntax you would find anywhere except in a discussion about double substitution dangers. Every bit of TCL/iRules example code, tutorials, etc. uses the braced syntax for if conditions.

     

    "switch" is similar. You'd have to do something like this:

    switch -glob $var\
    $pattern "some action on $unsafevariable" # DO NOT USE

    to be vulnerable. As far as I can tell $var and $pattern are never double-substituted, even in this example. $unsafevariable is indeed executed, if you deliberately forgoe both the braces around your entire switch body, as well as the braces around your actions. So again this is probably not something you'd do by accident.

     

     

    The one thing that of course always requires extra care is the use of eval and the likes, but that should go without saying. Don't eval user-supplied variables unless you know EXACTLY what you are doing.

     

     

    Please do note that all my knowledge about TCL is self-taught and I'm by no means an expert. So take everything I say with a grain of salt and if anyone with more experience would chime in, I'd love to hear your thoughts.

  • Thank you gersbah to share your knowledge, it would be useful an F5 dedicated article or lightboard lesson on how to prevent this with examples.

     

    Luca