Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Receive an HTTP 400 error if %2F is part of the GET URL in JBOSS

Tags:

http

jboss

Whenever a URL that has %2F which is the hex code for / is posted to my JBOSS Server, I get an error:

HTTP 400 Bad Request error message. 

Here is the URL:

http://localhost:8080/application/**abc%2Fhi**?msg=hello"

If I remove the %2F from the URL the link works fine.

This %2F has to be part of the URL and cannot be a request parameter.

like image 255
Naresh S Avatar asked Nov 01 '10 12:11

Naresh S


1 Answers

Finally figured out the cause of this (both for JBoss and Apache). Both applications intentionally reject URIs with an encoded slash (%2F for / and %5C for \) to prevent possible security vulnerabilities.

Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450

http://securitytracker.com/id/1018110 (Look at section 4. Solution)

And here are the instructions they provide for enabling this behavior in JBoss:

Note: In response to CVE-2007-0450, JBoss AS considers encoded slashes and backslashes in URLs invalid and its usage will result in HTTP 400 error. It is possible to allow encoded slashes and backslashes by following the steps outlined below, however doing so will expose you to CVE-2007-0450 related attacks:

a) If you use the /var/lib/jbossas/bin/run.sh setup, please edit /etc/jbossas/run.conf and append

- -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true

- -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true to the string assigned to JAVA_OPTS

b) If you use the init script setup to run multiple JBoss AS services and you wish to allow encoding by default on all services, please edit /etc/jbossas/jbossas.conf and add the line JAVA_OPTS="${JAVA_OPTS}

- -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true

- -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true"

c) If you use the init script setup to run multiple JBoss AS services and want to allow encoding of slashes and backslashes for a particular service, please edit /etc/sysconfig/${NAME} (where NAME is the name of your service) and add the line JAVA_OPTS="${JAVA_OPTS} - -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true - -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true"

For Apache, it's as simple as setting "AllowEncodedSlashes NoDecode" somewhere in your apache conf or vhost conf (doesn't work in an .htaccess, however).

Apache link: http://httpd.apache.org/docs/current/mod/core.html#allowencodedslashes

like image 188
Mark E. Haase Avatar answered Nov 05 '22 11:11

Mark E. Haase