Bug ID 932193: Improper handling of multiple cookie headers results in security bypass

Last Modified: Jun 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Fixed In:
17.0.0

Opened: Jul 29, 2020
Severity: 3-Major

Symptoms

Improper handling of multiple cookies results in security bypass when certain server technologies are used. The multiple cookie headers are handled separately in ASM, but the backend server concatenates it and can lead to potential signature attacks.

Impact

Bypass of negative security enforcement and can affect certain server technologies

Conditions

When PHP server technology is used as backend and a specially crafted request is sent with multiple cookies header.

Workaround

None

Fix Information

Templates are modified to change the default value of 'Repeated Occurrences' for HTTP header 'cookie' to 'Disallow'.

Behavior Change