Apache Web Agent is ignoring BadUrlChar //
search cancel

Apache Web Agent is ignoring BadUrlChar //

book

Article ID: 198635

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) SITEMINDER

Issue/Introduction


While testing a Web Agent, the BadUrlChar "//" is getting ignored and being let through by the Web Agent.

All other BadUrlChars values are blocked as expected, get logged as BadUrlChars in the trace log and the browser gets the HTTP 500 return code.

 

Environment


Web Agent 12.52SP1CR10 on Apache 2.4.41.

 

Resolution


The Apache Web Server "normalizes" the URI with the // via a URL rewrite changing it to a single /.

In the Apache request_rec structures the URI is a URI = 0x2967898 "/xsschecking/" though the actual request is "GET //xsschecking// HTTP/1.1".

Since the URI does not contain ‘//’, the Web Agent is not blocking the url.

To illustrate:

[08/18/2020][11:50:16][11948][2977765120][CSmHttpPlugin.cpp:703][CSmHttpPlugin::ProcessResource][][*10.0.0.1][][server.example.com.9806][][][Resolved URL: '//cgi-bin/printenv.cgi?SMIDSESSION=data_suppressed'.]

Then the request is normalized:

[08/18/2020][11:50:16][11948][2977765120][CSmHttpPlugin.cpp:915][CSmHttpPlugin::ProcessResource][][*10.0.0.1][][server.example.com.9806][/cgi-bin/printenv.cgi][][Resolved cookie domain: ''.]

 

Powered by Wolken Software