Bug ID 591113: CSRF injection leading to blank page

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6

Fixed In:
13.0.0

Opened: May 04, 2016

Severity: 2-Critical

Related Article: K45901635

Symptoms

When CSRF JS is injected, a blank page is seen.

Impact

Viewing the site causes some pages to show up blank.

Conditions

-- When CSRF JS is injected. -- This page has has lots of IFrames with the query parameters.

Workaround

Bypass or disable ASM for the following URL: /apps/consumer/ITS/its_Lite/UpperFrame_Lite.jsp. Can be done using l7policy rules or an irule: when HTTP_REQUEST { ASM::enable if { $uri contains "<affected url>" } { ASM::disable } }

Fix Information

Added handling for this instance.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips