Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP All
Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4
Fixed In:
12.1.0
Opened: May 22, 2015 Severity: 3-Major
Currently, a user's authorization token for logging into the BIG-IP GUI may be used for iControl SOAP calls. Similarly, the authorization token for iControl SOAP calls may be used to make calls to the GUI.
Potential browser confusion.
Being logged into the BIG-IP GUI in one tab or window on a browser, then clicking a link on another tab representing a different site.
In order to reduce iControl SOAP authentication from clients other than iControl, a user may modify the DB variable 'icontrol.webrootenforcement' to be enabled, then restart httpd. This DB variable reduces the scope of an authentication cookie given for iControl SOAP.
In order to reduce iControl SOAP authentication from clients other than iControl, a user may modify the DB variable 'icontrol.webrootenforcement' to be enabled, then restart httpd. Use caution when enabling this feature in order to avoid invalidating existing SOAP clients. In particular, those SOAP clients the do not authenticate at the /icontrol/ webroot.