Date : 13/03/2002 . By : Frank DENIS <j@42-networks.com> Vendor : Foundry Networks (http://www.foundrynet.com) . Product: ServerIron web switches. Summary: Vulnerability in URI parsing code allows to bypass rules. ------------------- DESCRIPTION ------------------- Foundry Networks' ServerIron Family of Internet traffic and content management switches provide high performance Layer 2 through 7 switching, enabling network managers to control and manage today's exploding web transaction, web application and eCommerce traffic flows. A key feature of ServerIron switches is that HTTP requests can be balanced by server groups according to rules. A common configuration is to have a group of servers for static content, and other groups of servers for dynamic pages. That feature is enabled with the "url-map" keyword in ServerIron switching rules. Several methods are available to select the server group according to the request, especially the "pattern" method that simply matches incoming URIs against patterns. In the following configuration, PHP scripts handled by group #1, Perl scripts by group #2, and static pages by server group #3 : url-map "p1" method pattern default 3 match .php 1 match .pl 2 ------------------- VULNERABILITY ------------------- Unlike web servers, ServerIron switches don't decode URIs, and patterns are matched against raw URIs. For a web server, the following requests are equivalents and match the same file : http://web.serv.er/index.pl http://web.serv.er/index.%70%6c Unfortunately, for ServerIron switches, ".%70%6c" doesn't match ".pl" . The request will match the next rule and go to the wrong server group. In the previous configuration, the request will be processed by servers dedicated to static content. The source code of PHP and Perl scripts may be sent to the client instead of being processed by expected servers. ------------------- WORKAROUND ------------------- Don't trust ServerIron pattern filtering. Duplicate the ServerIron filtering rules to every web server, by denying everything by default and allowing only expected patterns. Sample Apache configuration for a static content server : Order deny,allow Deny from all <Files ~ "\.(html|shtml|jpg|png)$"> Order allow,deny Allow from all </Files> ------------------- VENDOR RESPONSE ------------------- That issue was reported to Foundry Networks support on 12/02/2002 to security@foundrynet.com (mail bounced) and support@foundrynet.com . First answer : do you have a valid support contract? Second answer, the day after : "This is not a supported feature on our ServerIron. Please contact our Sales and submit a feature request". Thanks to another customer, I finally got a phone call from a nice Foundry Networks technical manager on 19/02 . He acknowledged the bug, and said that no URI decoding was indeed made in ServerIron products, regardless of the firmware version. All my mails to Foundry Networks were unanswered since. I don't know whether an official workaround or fix is on progress. It's not sure that the URI decoding issue will ever be adressed. So the best way to go is probably to tell sysadmins that they must check their web servers configurations, and not rely only on ServerIron url-map filtering. -- __ /*- Frank DENIS (Jedi/Sector One) <j@42-Networks.Com> -*\ __ \ '/ <a href="http://www.PureFTPd.Org/";> Secure FTP Server </a> \' / \/ <a href="http://www.Jedi.Claranet.Fr/";> Misc. free software </a> \/
