Bug ID 753441: AJAX encryption feature ignores encoded parameters names

Last Modified: Sep 18, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP FPS(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4, 14.1.0.5, 14.1.0.6, 14.1.2

Fixed In:
15.0.0

Opened: Dec 18, 2018
Severity: 4-Minor

Symptoms

AJAX encryption feature does not encrypt parameters configured with encryption enabled in the application AJAX request. This is done in case the parameters are sent with encoded names.

Impact

The configured parameter is sent as plain text.

Conditions

-- Parameter is configured with encryption enabled. -- AJAX encryption feature is enabled and the application sends the configured parameter using AJAX. -- The application sends the configured name encoded. -- The parameter-encoded name and the parameter-unencoded name are different.

Workaround

You v14.0.x and later, once the parameter is configured, configure the 'Name in request' option to the parameter encoded name. For example, if you have a field called 'password', and you want to send an AJAX request using '%24password', you must configure AJAX Mapping like this: password -> %24password

Fix Information

In v14.0.x and later, continue to use the solution suggested in the Workaround section. In 13.1.x versions, the encrypt AJAX feature now encrypts parameters with encoded names as well.

Behavior Change