Web Agent :: BadURLChars : %25 Risks

Document ID : KB000048369
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

I would like to know the risks to remove "%25" from BadURLChars on a Web Agent Reverse Proxy. I have some applications conflicting and I would like to remove this configuration.

Solution:

%25 is encoded character "%", which is an escape character, which mean that it could transport another character. This character is blocked by default in the BadURLChars as if it is allowed, when decoded, it may pass an encoded character to the application, which known as "multiple decoding" issue. Then the application might receive an encoded character which is decoded at the application level and the application might not expect this character.

As you probably know already, there is a lot of sample like this one on the internet.

The character is sent in the URL :

%255c

which will be decoded at the Web Server level as

%5c

and may be then decoded by the application once again as

\

as for this well known sample :

http://TARGET/scripts/..%255c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\

Host execution: dir c:\

the directory list of C:\is revealed

(http://help.sap.com/saphelp_nw74/helpdata/en/df/c36a376a3a43ceaaa879ab726f0ec8/content.htm)

Usually, we see this kind of request because some links deserved through a Reverse Proxy are containing space characters. The problem is that by the Apache Reverse Proxy, the URL is not decoded, and thus the escape character is cached :

https://support.ca.com/irj/portal/anonymous/redirArticles?reqPage=search&searchID=TEC508229

Unfortunately, there is no other solution than to change the URL's or to disable the check for the %25, but taking care that the backend application will handle this kind of characters.