Range HTTP header causing 403 error

Document ID:  TEC1276053
Last Modified Date:  08/08/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA Single Sign-On

Components

  • SITEMINDER -WEB AGENT FOR APACHE:SMAPC
Issue:

We're running a Web Agent on Apache. We are facing issues with HTTP

requests havig Range header "bytes=100-200,201-300" :

 

GET /mytestfile.html HTTP/1.1

Host: mymachine.mydomain.com

Range: bytes=100-200,201-300

User-Agent: Mozilla/4.61 [en] (WinNT; I)

 

we get error 403 Forbidden.

 

If the request present Range header as "bytes=100-200", we receive 101

Bytes of the resource, and the request is processed correctly.

 

Why do we have this ?

 

Environment:
Web Agent on 12.52SP1CR00 on Apache 2.4.25
Cause:

This issue is outside our Web Agent.

 

A Security Measure to allow only some characters like the one described in this note causes the issue.

 

https://www.trustwave.com/Resources/SpiderLabs-Blog/(Updated)-Mitigation-of-Apache-Range-Header-DoS-Attack/

 

Resolution:

You'll be able to fix this issue by allowing only two ranges like

bytes=300-400,401-500 and not more. This will eliminate the risk of

DoS and will work.

 

However, you will have to decide the solution that suits your needs as

issue is not in the Web Agent.

 

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >