Symantec Access Management

 View Only

Tech Tip : CA Single Sign-On : Range HTTP header causing 403 error 

Aug 11, 2017 05:00 AM

Issue:


We're running a Web Agent on Apache. We are facing issues with HTTP

requests havig Range header "bytes=100-200,201-300" :

 

GET /mytestfile.html HTTP/1.1

Host: mymachine.mydomain.com

Range: bytes=100-200,201-300

User-Agent: Mozilla/4.61 [en] (WinNT; I)

 

we get error 403 Forbidden.

 

If the request present Range header as "bytes=100-200", we receive 101

Bytes of the resource and the request is processed correctly.

 

Why do we have this?



Environment:

 

Web Agent on 12.52SP1CR00 on Apache 2.4.25

 


Cause:


This issue is outside our Web Agent.

 

A Security Measure to allow only some characters like the one described in this note causes the issue.

 

https://www.trustwave.com/Resources/SpiderLabs-Blog/(Updated)-Mitigation-of-Apache-Range-Header-DoS-Attack/



Resolution:


You'll be able to fix this issue by allowing only two ranges like

bytes=300-400,401-500 and not more. This will eliminate the risk of

DoS and will work.

 

 

 

KD : TEC1276053

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.