ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.
URL contains BadQueryChars: '/myURI/MyServlet;variable=value'
Article ID: 77169
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
CA Single Sign-On
Issue/Introduction
We have a Web Agent protecting an application, and we are getting the following errors when accessing the URL '/myURI/MyServlet;variable=value':
In our ACO we have defined the following parameters:
Doing some tests we have noticed that when we remove the semicolon character from the BadQueryChars then we can access the URL above, but as there is no query string in the URL we don't know why it is complaining about BadQueryChars, as we don't even have the semicolon defined in the BadUrlChars parameter.
"URL contains invalid characters. Exiting with HTTP 500 server error '00-0002'."
In our ACO we have defined the following parameters:
BadUrlChars=//,./,/.,/*,*.,~,/,%00-%1f,%7f-%ff,%25 BadQueryChars=<,>,;,),(,+,%00
Doing some tests we have noticed that when we remove the semicolon character from the BadQueryChars then we can access the URL above, but as there is no query string in the URL we don't know why it is complaining about BadQueryChars, as we don't even have the semicolon defined in the BadUrlChars parameter.
Cause
As per the documentation, BadQueryChars "specifies characters that the Web Agent prohibits in the query string portion (following the '?') in a URL."
When the URL does not contain a '?' character, the Agent is actually checking the whole URL for BadQueryChars
When the URL does not contain a '?' character, the Agent is actually checking the whole URL for BadQueryChars
Environment
Web Agent R12.52 SP1 CR05
Resolution
This issue is fixed in Web Agent R12.52 SP1 CR09. Upgrade to that version to fix this issue.
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-52-sp1-cr09
Web Agent
| 00932392 | DE340263 |
The BadQueryChars ACO parameter incorrectly checks the entire URL if there is no query string. |
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-52-sp1-cr09
Additional Information
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/web-agent-configuration/user-protection-and-tracking/help-prevent-attacks#HelpPreventAttacks-SpecifyBadQueryCharacters
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/web-agent-configuration/user-protection-and-tracking/help-prevent-attacks#HelpPreventAttacks-SpecifyBadURLCharacters
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/web-agent-configuration/user-protection-and-tracking/help-prevent-attacks#HelpPreventAttacks-SpecifyBadURLCharacters
Feedback
Yes
No
Powered by
