Bug ID 664650: Real time encryption on non-password fields

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP FPS(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0

Opened: May 14, 2017
Severity: 2-Critical

Symptoms

Real-time encryption for non-password field when full-AJAX encryption is enabled.

Impact

when malware changes input value with JS code, the system sends this value instead of the RTE one.

Conditions

1. Configure specific parameter with encryption enabled. 2. The page uses AJAX. 3. Change the configured parameter value in the page after it has been populated by the end user, and then submit the page.

Workaround

None.

Fix Information

The system now sends the real value from RTE in this case.

Behavior Change