We're running a Web Agent and when this one handle the following URL,
it doesn't urlencode the SMTOKEN value :
https://myserver.mydomain.com/changepassword.do?method=changepassword&status=reset&SMENC=UTF-8&USERNAME=myusername&SMENC=UTF-8&SMTOKEN={RC2}451v5sINtfZ9NqThbVcBwAntT5iHEjLU6kkNPnmBr66Z6JXHdfSvqtuFvuABJ+i&USERNAME=myusername&SMAUTHREASON=24&SMAGENTNAME=ds5dsfssdc9jGVoxl9cCk4YsWXdgLtaJWt4dtcV7Vcl6dpTI4YK2P9JqIftcC09&TARGET=$SM$https%3A%2F%2Fmyserver.mydomain.com%2Flogin.do
Value : SMTOKEN={RC2}451v5sINtfZ9NqThbVcBwAntT5iHEjLU6kkNPnmBr66Z6JXHdfSvqtuFvuABJ+i
This happens on old Web Agent 12SP3CR12 as per more recent Web Agent
12.52SP1CR05, the value is correctly urlencoded :
https://myotherserver.mydomain.com/changepassword.do?method=changepassword&status=reset&SMENC=UTF-8&USERNAME=myuser&SMENC=UTF-8&SMTOKEN=$SM$%7bRC2%7dcdZWTT%3dsaadmuZITZTh4VJy4bFjDczVwPykGwo8sc5dsDsdsR688OYCo6mLxtMKhsMj&USERNAME=myuser&SMAUTHREASON=24&SMAGENTNAME=$SM$dsadasd44ds2XSooudm2z3f4t3L6vAOEBLYsRhJX%2bGVC%2ftX9rTaimeJqFGiI33B&TARGET=$SM$https%3A%2F%2Fmyotherserver.mydomain.com%2Flogin.do
Value : SMTOKEN=$SM$%7bRC2%7dcdZWTT%3dsaadmuZITZTh4VJy4bFjDczVwPykGwo8sc5dsDsdsR688OYCo6mLxtMKhsMj
Why the 12.52SP1CR05 version doesn't show the problem ?
At first glance, we note that the value causing problem doesn't have
the -SM- tag, which will be responsible to handle the {} characters as
per the following KD and needed to respect RFC 3986 :
According to the following KD, the tag is added from Web Agent
12.52SP1CR05 only :
Issue with force change password feature
We've seen that the -SM- tag in the SMTOKEN value causes the IM server
not to be able to handle the request.
The addition of the -SM- part it the SMTOKEN in Web Agent 12.52SP1 is
about to be compliant on the security aspect with RFC 3986 around the
presence of {} character in URLs.
To solve this issue and make the IM server to be compliant to that,
you need to upgrade the IM server to version 14.3 to handle this.
https://knowledge.broadcom.com/external/article?articleId=134422
Policy Server 12.8SP3 on OEL 6;
Web Agent 12SP3CR12 on Apache 2.2;
Upgrade Web Agent to the latest Web Agent 12.52SP1 serie to solve this
issue;