Posted by Ujwol Shrestha - Principal Support Engineer in CA Security on Jan 22, 2016
Customer installed and configured SiteMinder Web Agent on Apache 2.4.
He has a PHP module which is expecting some of the default SiteMinder headers e.g. SM_USER, SM_DOMAIN etc and also some custom headers which has underscore in it's name (e.g USER_NAME etc).
However, when he reads the HTTP headers using PHP module (or a CGI module) , he couldn't find any of the header with underscore in it's name being set.
All other headers are working fine.
Policy Server : r12.52 SP1 CR2 (However, this is applicable for any version)
This is a new feature introduced in Apache 2.4 in multiple modules like mod_cgi,mod_include,mod_isapi,php etc.
This was introduced to prevent cross-site-scripting attacks via header injection. Headers containing invalid characters (including underscores) are now silently dropped
For the default SiteMinder Headers
You can specify which naming convention the Web Agent uses for the default HTTP headers with the following parameter:
Specifies if the Web Agent uses underscores in HTTP header names.
LegacyVariables = yes (default), the HTTP Headers will have underscore (e.g SM_USER,SM_USERDN etc)
LegacyVariables = no, the HTTP headers will not have underscores (e.g SMUSER,SMUSERDN)
For custom HTTP Headers
LegacyVariables only controls the default SiteMInder HTTP headers. It doesn't modify the user defined HTTP Headers.
So. for bypassing this restriction in Apache 2.4, you will need to ensure that your custom HTTP header names does not have any undersore.
Alternatively, you can also refer to the workaround suggested by Apache, which will bascially bypass this new security restriction.
This involves setting mod_setenvif and mod_headers which allows you to still accept these headers with underscore.
Environment Variables in Apache - Apache HTTP Server Version 2.5