BadURLChars ACO parameter does not block /%2F from URL

book

Article ID: 7551

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

We want to block a URL containing a /%2F in it, like: http://www.example.com/%2Fblockme

However, when we add /%2F into BadURLChars ACO parameter list, nothing happens. We have the parameter configured as follows:
badurlchars='/%2f,//,./,/.,/*,*.,~,\,%00-%1f,%7f-%ff,%25'.

Also, if we add %2F into BadURLChars list (without the slash), agent function will break and we get an HTTP error 500 from agent.

As this is not blocked, browser is getting a HTTP 404 error which we do not want to show for security.

Cause

The reason why you are getting the HTTP 404 error is because Apache itself is breaking the URL.

Environment

Web Agent R12.52 SP1 CR01 on Apache 2.2

Resolution

In order to avoid Apache to break the URL, you need to add the Apache directive AllowEncodedSlashes to ON:

Description:

Determines whether encoded path separators in URLs are allowed to be passed through

Syntax:

AllowEncodedSlashes On|Off|NoDecode

Default:

AllowEncodedSlashes Off

Context:

server config, virtual host

Status:

Core

Module:

core

Compatibility:

Available in Apache httpd 2.0.46 and later. NoDecode option available in 2.2.18 and later.

The AllowEncodedSlashes directive allows URLs which contain encoded path separators (%2F for / and additionally %5C for \ on accordant systems) to be used in the path info.

With the default value, Off, such URLs are refused with a 404 (Not found) error.

With the value On, such URLs are accepted, and encoded slashes are decoded like all other encoded characters.

With the value NoDecode, such URLs are accepted, but encoded slashes are not decoded but left in their encoded state.

Turning AllowEncodedSlashes On is mostly useful when used in conjunction with PATH_INFO.

Additional Information

Apache Documentation - AllowEncodedSlashes Directive
URLEncoded forward slash is breaking URL