Bad URL Characters /. risks, vulnerability and impacts in Web Agent
search cancel

Bad URL Characters /. risks, vulnerability and impacts in Web Agent

book

Article ID: 259383

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Agents (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

 

When running a Web Agent, what are the risks when allowing in URL the following character (1)?

  /.

Resolution

 

At first glance, the string /. is found in the BadUrlChars as the /. string is malformed and considered invalid or extraneous as per RFC 3986. This string should be removed and it's not expected (2).

Further, some official vulnerabilities mention a possible misuse of the /. (3)(4).

By default, the BadUrlChars has it in its value. When removing it, Web Agent won't block it anymore.

  BadUrlChars //,./,/.,/*,*.,~,\,%00-%1f,%7f

If disabling BadUrlChars by commenting on it, all characters will be allowed according to the documentation (5).

 

Additional Information

 

(1)

    Web Agent :: BadUrlChars : Impact of disabling Them
    

(2)

    Uniform Resource Identifier (URI): Generic Syntax

     3.3.  Path

    The path segments "." and "..", also known as dot-segments, are
    defined for relative reference within the path name hierarchy.
    They are intended for use at the beginning of a relative-path
    reference (Section 4.2) to indicate relative position within the
    hierarchical tree of names.  This is similar to their role
    within some operating systems' file directory structures to
    indicate the current directory and parent directory,
    respectively.  However, unlike in a file system, these
    dot-segments are only interpreted within the URI path hierarchy
    and are removed as part of the resolution process (Section 5.2).

      5.2.4.  Remove Dot Segments

       in order to remove any invalid or extraneous dot-segments prior to
       forming the target URI.

       B.  if the input buffer begins with a prefix of "/./" or "/.",
           where "." is a complete path segment, then replace that
           prefix with "/" in the input buffer; otherwise,

       C.  if the input buffer begins with a prefix of "/../" or "/..",
           where ".." is a complete path segment, then replace that
           prefix with "/" in the input buffer and remove the last
           segment and its preceding "/" (if any) from the output
           buffer; otherwise,

    

(3)

    CVE-2019-17573

      This webpage is vulnerable to a reflected Cross-Site Scripting (XSS)
      attack, which allows a malicious actor to inject javascript into the
      web page.

      [...omitted for brevity...]

      Please note that the attack exploits a feature which is
      not typically not present in modern browsers, who remove dot
      segments before sending the request.

    

(4)

    CVE-2021-3281

      In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before
      3.1.6, the django.utils.archive.extract method (used by "startapp
      --template" and "startproject --template") allows directory
      traversal via an archive with absolute paths or relative paths with
      dot segments.

    

(5)

    BadUrlChars

      Default: Disabled (all characters are allowed).