Bug ID 531851: Login access criteria not validated

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4

Fixed In:
12.1.0

Opened: Jul 06, 2015
Severity: 3-Major

Symptoms

When a response arrives without a content-type header and a login page has a search in response text criteria, the system does not detect failed logins. When brute force or session tracking is configured with this login page, it causes the system not to detect the brute force attack or track the session.

Impact

Brute force attacks are not detected, other login features may fail.

Conditions

Login criteria includes string searches on the full response. Response arrives without content type.

Workaround

Add a "content-type: text/html" header to the responses using an iRule. The content type should be textual (for example, "text/X" where X can be anything) or a list of "application/X" where X is one of the following: xml, html, xhml, json, soap+xml, x-javascript.

Fix Information

We fixed a possible failing scenario of the response-side features.

Behavior Change