Bug ID 751694: No input validation for hash-id when adding DOM Signature to whitelist

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP FPS(all modules)

Known Affected Versions:
15.0.0, 15.0.1,,,,

Opened: Dec 02, 2018

Severity: 4-Minor


When adding DOM signatures, you are able to specify an invalid hash-ID without error.


hash-ID is successfully inserted to the DOM signatures whitelist. The device will still function and the whitelist is ignored, but the invalid hash ID is still in the configuration and should be removed.


This is encountered when adding a DOM signature using tmsh. Here is an example where a2b2c3d4 is not a valid hash: tmsh modify security anti-fraud profile my1 urls modify { /login.php { malware { whitelist-dom-signatures add { a1b2c3d4 } } } }


add only valid hash-IDs to the DOM signatures whitelist

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips