Bug ID 753441: AJAX encryption feature ignores encoded parameters names

Last Modified: Mar 21, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP FPS(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3

Opened: Dec 18, 2018
Severity: 4-Minor

Symptoms

AJAX encryption feature does not encrypt parameters configured with encryption enabled in the application AJAX request. This is done in case the parameters are sent with encoded names.

Impact

The configured parameter is sent as plain text.

Conditions

-- Parameter is configured with encryption enabled. -- AJAX encryption feature is enabled and the application sends the configured parameter using AJAX. -- The application sends the configured name encoded. -- The parameter-encoded name and the parameter-unencoded name are different.

Workaround

You v14.0.x and later, once the parameter is configured, configure the 'Name in request' option to the parameter encoded name. For example, if you have a field called 'password', and you want to send an AJAX request using '%24password', you must configure AJAX Mapping like this: password -> %24password

Fix Information

None

Behavior Change