Tech Tip : CA Single Sign-On : Range HTTP header causing 403 error

Document created by Osarobo_Idehen Employee on Aug 11, 2017
Version 1Show Document
  • View in full screen mode

Issue:


We're running a Web Agent on Apache. We are facing issues with HTTP

requests havig Range header "bytes=100-200,201-300" :

 

GET /mytestfile.html HTTP/1.1

Host: mymachine.mydomain.com

Range: bytes=100-200,201-300

User-Agent: Mozilla/4.61 [en] (WinNT; I)

 

we get error 403 Forbidden.

 

If the request present Range header as "bytes=100-200", we receive 101

Bytes of the resource and the request is processed correctly.

 

Why do we have this?



Environment:

 

Web Agent on 12.52SP1CR00 on Apache 2.4.25

 


Cause:


This issue is outside our Web Agent.

 

A Security Measure to allow only some characters like the one described in this note causes the issue.

 

https://www.trustwave.com/Resources/SpiderLabs-Blog/(Updated)-Mitigation-of-Apache-Range-Header-DoS-Attack/



Resolution:


You'll be able to fix this issue by allowing only two ranges like

bytes=300-400,401-500 and not more. This will eliminate the risk of

DoS and will work.

 

 

 

KD : TEC1276053

Attachments

    Outcomes