Edge browser generates 404.11 errors in Helpdesk, Self Service and Create User realms

Follow

SecureAuth IdP Version Affected: 9.2

 

Description:

When Edge is used with realms that have a Post Authentication page going to any of these 3 pages it causes an 404.11 error (URL_DOUBLE_ESCAPED) if double URL decoding is disabled in IIS for security reasons.

\Authorized\AccountUpdate.aspx
\Authorized\CreateUser.aspx
\Authorized\ManageAccounts.aspx

Chrome and Firefox are not affected and do not generate double URL encoded query strings.

 

Cause:

Product Defect IDP-4784

The following files contain a client side redirect for Safari Browser:

\Authorized\AccountUpdate.aspx.vb
\Authorized\CreateUser.aspx.vb
\Authorized\ManageAccounts.aspx.vb

 

Edge should not be affected but it is because Edge includes "Safari" in its user agent string, e.g.:
UserAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063"


In the event that there is already a URL encoded query string then it will result in a double encoded query string that causes IIS to reject the GET request with a 404.11 error:

e.g. original single URL encoded query string:
/SecureAuth6/Authorized/ManageAccounts.aspx?ReturnURL=%2fSecureAuth6%2fAuthorized%2fManageAccounts.aspx

and double encoded:
/SecureAuth6/Authorized/ManageAccounts.aspx%3fReturnURL%3d%252fSecureAuth6%252fAuthorized%252fManageAccounts.aspx

 

 

Resolution:

Waiting for a fix in a future release of IdP.

 

Workaround:

1. Edit the respective file for the realm in question:

Self Service  D:\SecureAuth\SecureAuthXX\Authorized\AccountUpdate.aspx.vb
Create User  D:\SecureAuth\SecureAuthXX\Authorized\CreateUser.aspx.vb
Helpdesk      D:\SecureAuth\SecureAuthXX\Authorized\ManageAccounts.aspx.vb

 

2. This is the block of code responsible for the redirect:
Dim pageRedirect = HttpUtility.UrlEncode(Request.Url.Segments(Request.Url.Segments.Length - 1) + Request.Url.Query)
If Session("PageRedirected") <> "True" And Request.UserAgent.ToLower().Contains("safari") Then
Page.ClientScript.RegisterClientScriptBlock(Me.GetType(), "onLoad", "<script type=""text/javascript"">window.onload=location.href='" & pageRedirect & "';</script>")
Session("PageRedirected") = "True"
End If


3. On the line starting If Session("PageRedirected") Putting in an additional condition to check that the request doesn't contain Edge will fix the problem e.g.:
If Session("PageRedirected") <> "True" And Request.UserAgent.ToLower().Contains("safari") And Not Request.UserAgent.ToLower().Contains("edge") Then
4. Save the file.
 
 

SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.