Bug ID 452182: Flash client-side rewriting and path truncation

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
11.6.2 HF1, 11.4.0, 11.4.1

Fixed In:
11.6.0, 11.5.1 HF5, 11.4.1 HF4

Opened: Mar 13, 2014

Severity: 3-Major

Related Article: K15383

Symptoms

Certain requests from rewritten Flash ActionScript 3 files might be missing the '/f5-w-xxx$$/' part of the path. These requests fail and this could adversely affect the functionality of the application.

Impact

Failed requests, broken applications. Security issue: Flash applications could make HTTP request to other domains accessible through Portal Access without checks for cross-domain restrictions.

Conditions

Request URI in Flash code contains enough "../" parts to leave the '/f5-w-xxx$/' sandbox.

Workaround

This could be addressed with an iRule in most cases. If you can identify such a request, you can correct the mangled part of the URI within the HTTP_REQUEST event.

Fix Information

Flash ActionScript 3 rewriter now correctly rewrites URLs containing "../".

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips