Tech Tip : CA Single Sign-On : BadURLChars ACO parameter does not block /%2F from URL

Document created by Albert_Fernandez Employee on Jan 8, 2018
Version 1Show Document
  • View in full screen mode

Issue:

We want to block a URL containing a /%2F in it, like: http://www.example.com/%2Fblockme

However, when we add /%2F into BadURLChars ACO parameter list, nothing happens. We have the parameter configured as follows:
badurlchars='/%2f,//,./,/.,/*,*.,~,\,%00-%1f,%7f-%ff,%25'.

Also, if we add %2F into BadURLChars list (without the slash), agent function will break and we get an HTTP error 500 from agent.

As this is not blocked, browser is getting a HTTP 404 error which we do not want to show for security.

 

Environment:

Web Agent R12.52 SP1 CR01 on Apache 2.2

 

Cause:

The reason why you are getting the HTTP 404 error is because Apache itself is breaking the URL.

 

Resolution:

In order to avoid Apache to break the URL, you need to add the Apache directive AllowEncodedSlashes to ON:

Description:

Determines whether encoded path separators in URLs are allowed to be passed through

Syntax:

AllowEncodedSlashes On|Off|NoDecode

Default:

AllowEncodedSlashes Off

Context:

server config, virtual host

Status:

Core

Module:

core

Compatibility:

Available in Apache httpd 2.0.46 and later. NoDecode option available in 2.2.18 and later.

The AllowEncodedSlashes directive allows URLs which contain encoded path separators (%2F for / and additionally %5C for \ on accordant systems) to be used in the path info.

With the default value, Off, such URLs are refused with a 404 (Not found) error.

With the value On, such URLs are accepted, and encoded slashes are decoded like all other encoded characters.

With the value NoDecode, such URLs are accepted, but encoded slashes are not decoded but left in their encoded state.

Turning AllowEncodedSlashes On is mostly useful when used in conjunction with PATH_INFO.

 

Additional Information:

Apache Documentation - AllowEncodedSlashes Directive
URLEncoded forward slash is breaking URL

KD : TEC1719365

Attachments

    Outcomes