BadURLChars ACO parameter does not block /%2F from URL

Document ID:  TEC1719365
Last Modified Date:  08/08/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA Single Sign-On

Releases

  • CA Single Sign-On:Release:12.52 SP1

Components

  • SITEMINDER -WEB AGENT FOR APACHE:SMAPC
Issue:

We want to block a URL containing a /%2F in it, like: http://www.example.com/%2Fblockme

However, when we add /%2F into BadURLChars ACO parameter list, nothing happens. We have the parameter configured as follows:
badurlchars='/%2f,//,./,/.,/*,*.,~,\,%00-%1f,%7f-%ff,%25'.

Also, if we add %2F into BadURLChars list (without the slash), agent function will break and we get an HTTP error 500 from agent.

As this is not blocked, browser is getting a HTTP 404 error which we do not want to show for security.

Environment:
Web Agent R12.52 SP1 CR01 on Apache 2.2
Cause:

The reason why you are getting the HTTP 404 error is because Apache itself is breaking the URL.

Resolution:

In order to avoid Apache to break the URL, you need to add the Apache directive AllowEncodedSlashes to ON:

Description:

Determines whether encoded path separators in URLs are allowed to be passed through

Syntax:

AllowEncodedSlashes On|Off|NoDecode

Default:

AllowEncodedSlashes Off

Context:

server config, virtual host

Status:

Core

Module:

core

Compatibility:

Available in Apache httpd 2.0.46 and later. NoDecode option available in 2.2.18 and later.

The AllowEncodedSlashes directive allows URLs which contain encoded path separators (%2F for / and additionally %5C for \ on accordant systems) to be used in the path info.

With the default value, Off, such URLs are refused with a 404 (Not found) error.

With the value On, such URLs are accepted, and encoded slashes are decoded like all other encoded characters.

With the value NoDecode, such URLs are accepted, but encoded slashes are not decoded but left in their encoded state.

Turning AllowEncodedSlashes On is mostly useful when used in conjunction with PATH_INFO.

Additional Information:

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >