Bug ID 452182: Flash client-side rewriting and path truncation

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4

Fixed In:
11.6.0, 11.5.1 HF5, 11.4.1 HF4

Opened: Mar 13, 2014
Severity: 3-Major
Related Article:
K15383

Symptoms

Certain requests from rewritten Flash ActionScript 3 files might be missing the '/f5-w-xxx$$/' part of the path. These requests fail and this could adversely affect the functionality of the application.

Impact

Failed requests, broken applications. Security issue: Flash applications could make HTTP request to other domains accessible through Portal Access without checks for cross-domain restrictions.

Conditions

Request URI in Flash code contains enough "../" parts to leave the '/f5-w-xxx$/' sandbox.

Workaround

This could be addressed with an iRule in most cases. If you can identify such a request, you can correct the mangled part of the URI within the HTTP_REQUEST event.

Fix Information

Flash ActionScript 3 rewriter now correctly rewrites URLs containing "../".

Behavior Change