Last Modified: Sep 14, 2023
Affected Product(s):
BIG-IP FPS
Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6
Fixed In:
15.0.0
Opened: Dec 18, 2018 Severity: 4-Minor
AJAX encryption feature does not encrypt parameters configured with encryption enabled in the application AJAX request. This is done in case the parameters are sent with encoded names.
The configured parameter is sent as plain text.
-- Parameter is configured with encryption enabled. -- AJAX encryption feature is enabled and the application sends the configured parameter using AJAX. -- The application sends the configured name encoded. -- The parameter-encoded name and the parameter-unencoded name are different.
You v14.0.x and later, once the parameter is configured, configure the 'Name in request' option to the parameter encoded name. For example, if you have a field called 'password', and you want to send an AJAX request using '%24password', you must configure AJAX Mapping like this: password -> %24password
In v14.0.x and later, continue to use the solution suggested in the Workaround section. In 13.1.x versions, the encrypt AJAX feature now encrypts parameters with encoded names as well.