Bug ID 751694

Bug Tracker
ID 751694

Bug ID 751694: No input validation for hash-id when adding DOM Signature to whitelist

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP FPS(all modules)

Known Affected Versions:
15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4

Opened: Dec 02, 2018

Severity: 4-Minor

Symptoms

When adding DOM signatures, you are able to specify an invalid hash-ID without error.

Impact

hash-ID is successfully inserted to the DOM signatures whitelist. The device will still function and the whitelist is ignored, but the invalid hash ID is still in the configuration and should be removed.

Conditions

This is encountered when adding a DOM signature using tmsh. Here is an example where a2b2c3d4 is not a valid hash: tmsh modify security anti-fraud profile my1 urls modify { /login.php { malware { whitelist-dom-signatures add { a1b2c3d4 } } } }

Workaround

add only valid hash-IDs to the DOM signatures whitelist

Fix Information

None

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips