000022446 - RSA ClearTrust Agent 4.6 for Apache decodes CGI parameters in URL

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022446
Applies ToRSA ClearTrust Agent 4.6 for Apache
Microsoft Windows 2000 Server SP4
IssueRSA ClearTrust Agent 4.6 for Apache decodes CGI parameters in URL
RSA ClearTrust Agent 4.6 for Apache hot fix level 4.6.0.59 or newer behaves differently than level 4.6.0.40
cleartrust.agent.retain_url.use_query_string is set to true
cleartrust.agent.retain_url.preserve_query_string is set to true
URL retention not working as expected when using URL query string for URL retention
CGI parameters decoded
ResolutionIf cleartrust.agent.retain_url.use_query_string is set to True and  cleartrust.agent.retain_url.preserve_query_string is also True, RSA ClearTrust Agent 4.6 for Apache should preserve the original URL. This is an example showing the erroneous behavior. Assuming the first URL is a ClearTrust-protected resource and the parameters mentioned above are set, after authentication the user will be redirected to the second URL listed below. As you can see, the parameters passed to the CGI scripts were decoded, even if they shouldn't have been.

Requested URL:
http://vmware-mike02.csau.ap.rsa.net/cgi-bin/query.cgi?I_DsgnNTNO%23%31=abcde

URL the browser is redirected to after authentication:
http://vmware-mike02.csau.ap.rsa.net/cgi-bin/query.cgi?I_DsgnNTNO#1=abcde

This issue was originally fixed in RSA ClearTrust Agent 4.6.0.40 for Apache, but was reintroduced in RSA ClearTrust Agent 4.6.0.59 for Apache. Now this issue has been resolved in hot fix 4.6.0.91 for RSA ClearTrust Agent 4.6 for Apache. Contact RSA Security Customer Support to obtain hot fix 4.6.0.91, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels).

NOTE: A workaround to this problem is to use cookies for URL retention; simply set the cleartrust.agent.retain_url.use_query_string to false
Legacy Article IDa28519

Attachments

    Outcomes