Martin_Vlasko
Aug 14, 2014Altocumulus
Portal Access Security Problem - Manipulation with HEX string in URL mangle allows access to any internal website!! How to restrict?
Hi,
We are running simple Portal Access policy on our APM, which provides authenticated external users an access to our public web site located behind the APM, basically a simple reverse proxy with authentication.
The URL rewrite works as expected:
URL of internal web site: https://public.mycompany.com/logon.asp
URL for external users: https://apm.company.com/f5-w-[HEX-String]$$/logon.asp
I realized that when I swap the [HEX-String] part of the external URL with another HEX string (representing URL of other internal web site, for example http://intranet.company.com) I gain access to this intranet web site, although as a remote user I am not allowed to access anything else except "public.mycompany.com".
Is this a bug or standard behavior? How can I restrict the access to only one particular web site?
How can I prevent the rewritten URL to be changed by external user and misused for accessing other internal websites?Thanks for hints.