Forum Discussion

Martin_Vlasko's avatar
Martin_Vlasko
Icon for Altocumulus rankAltocumulus
Aug 14, 2014

Portal Access Security Problem - Manipulation with HEX string in URL mangle allows access to any internal website!! How to restrict?

Hi,

We are running simple Portal Access policy on our APM, which provides authenticated external users an access to our public web site located behind the APM, basically a simple reverse proxy with authentication.

The URL rewrite works as expected: 

URL of internal web site: https://public.mycompany.com/logon.asp
URL for external users:   https://apm.company.com/f5-w-[HEX-String]$$/logon.asp

I realized that when I swap the [HEX-String] part of the external URL with another HEX string (representing URL of other internal web site, for example http://intranet.company.com) I gain access to this intranet web site, although as a remote user I am not allowed to access anything else except "public.mycompany.com".

Is this a bug or standard behavior? How can I restrict the access to only one particular web site?

How can I prevent the rewritten URL to be changed by external user and misused for accessing other internal websites?

Thanks for hints.

APM
deployment
portal access
security

4 Replies

Sort By
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Aug 20, 2014

    You can configure L7 ACLs or L4+L7 ACLs on APM and assign ACLs to your VPE.

     

    Pay attention, there is bug with L4 ACLs :

     

    http://support.f5.com/kb/en-us/solutions/public/14000/200/sol14219.html?sr=39702705

     

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Aug 20, 2014

    yep ACLs are the way to go, i still feel F5 should make this more clear in the documentation and make APM a default deny device like the LTM behaves. a standard deny all ACL in the end would accomplish this.

     

  • Martin_Vlasko's avatar
    Martin_Vlasko
    Icon for Altocumulus rankAltocumulus
    Aug 20, 2014

    Thank you guys for both answers, I will try the ACL as you suggested.

     

    But do you think this is an expected behavior of the APM or should this be reported to F5 support as a security bug?

     

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Aug 20, 2014

    i would say report it as a security bug. then again i know they will say it is expected behaviour. but if enough people report this it might change their mind and at least give some more attention to it.