The DisableDotDotRule parameter determines whether or not the Web Agent automatically authorizes a URI that contains two dots separated by a slash (/).
Default: No
If the DisableDotDotRule is set to yes, the Agent does not apply the double dot rule. For example, if the URI is:
The Web Agent uses the IgnoreExt parameter to determine if the resource should be automatically authorized.
The Agent can ignore this URI because the two dots are not separated by a slash (/). The double-dot rule is not applicable in this case.
If the DisableDotDotRule is set to no, the default, the Web Agent applies the double-dot rule. The Web Agent challenges requests for the following URIs, passing the request to the Policy Server:
This URI falls under the double-dot rule because the two dots are separated by a slash.
The web server may consider /dir1/app.pl as the target resource, and /file1.gif as extra path information, typically viewable in CGI headers as PATH_INFO.
The Agent may ignore this URI because even though the double-dot rule is being enforced, the two dots are not separated by a slash (/), so the rule is not applicable.
Important! Avoid creating the possibility for unauthorized access when you use the IgnoreExt and DisableDotDotRule parameters together. For example, if you want to protect /dir1/app.pl, but you set the DisableDotDotRule parameter to yes, the Agent ignores the URI /dir1/app.pl/file1.gif because you have disabled the double-dot rule and included .gif in the IgnoreExt parameter. Consequently, an unauthorized user may access the protected application /dir1/app.pl.
You can list a set of character sequences that cannot be part of a URL request. These are treated by the Agent as bad URL characters. The Web Agent will refuse URL requests that contain any of the characters or strings of characters that you include in this list. The checking is done on the URL before the "?" character. The Web Agent rejects URL requests that include such characters because a malicious Web client might use such characters to evade SiteMinder rules.
When a Web Agent refuses a URL request containing a Bad URL character, the web server responds with one of the following messages:
Check your Web Agent logs for information on how the Agent is handling requests.
You specify the characters with the following parameter:
Specifies the character sequences that cannot be used in URL requests. The Web Agent checks the characters in the URL that occur before the "?" character against the list in this parameter. If any of the specified characters are found, the Web Agent rejects the request.
You can specify the following characters:
Separate multiple characters with commas. Do not use spaces.
You can use the bad URL characters in CGI parameters if the question mark (?) precedes the bad URL characters.
Default: //,./,/.,/*,*.,~,\,%00-%1f,%7f-%ff,%25
Limits:
To specify Bad URL characters, edit the value of the BadURLChars parameter to include the characters that you want to block.
Note: When configuring the Apache 2.0 Reverse Proxy Server and Outlook Web Access (OWA), be sure to turn off the BadURLChars parameter. OWA allows unrestricted characters in the email subject that might be listed in the BadURLChars parameter.
|
Copyright © 2012 CA.
All rights reserved.
|
|