Bug ID 482338: Disallow of query parameters in the internal whitelisted URIs from 11.6

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4

Opened: Oct 02, 2014
Severity: 3-Major

Symptoms

Adding query string to hangup.php3 or any internal URI causes a reset in 11.6.0. Reset Cause = Access encountered an error (Illegal argument)

Impact

Hangup.php3 change from 11.5.1->11.6.0 causing deployment delays for customer.

Conditions

Navigate to the logout page and append a query string to the URI and hit enter.

Workaround

To use iRules as HTTP_REQUEST fires BEFORE access: if { [HTTP::uri] equals "/vdesk/hangup.php3?l=en" } { ACCESS::session data set "session.ui.lang" "en" HTTP::uri "/vdesk/hangup.php3" }

Fix Information

None

Behavior Change

Previously in 11.5.1 and before, you could append query strings to the hangup.php3 or any internal URI and use iRules to customize the logout page, in 11.6.0, this is no longer possible and returns an error.