SecureAuth IdP Version Affected: 9.2
Description:
When Edge is used with realms that have a Post Authentication page going to any of these 3 pages it causes an 404.11 error (URL_DOUBLE_ESCAPED) if double URL decoding is disabled in IIS for security reasons.
\Authorized\AccountUpdate.aspx
\Authorized\CreateUser.aspx
\Authorized\ManageAccounts.aspx
Chrome and Firefox are not affected and do not generate double URL encoded query strings.
Cause:
Product Defect IDP-4784
The following files contain a client side redirect for Safari Browser:
\Authorized\AccountUpdate.aspx.vb
\Authorized\CreateUser.aspx.vb
\Authorized\ManageAccounts.aspx.vb
Edge should not be affected but it is because Edge includes "Safari" in its user agent string, e.g.:
UserAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063"
In the event that there is already a URL encoded query string then it will result in a double encoded query string that causes IIS to reject the GET request with a 404.11 error:
e.g. original single URL encoded query string:
/SecureAuth6/Authorized/ManageAccounts.aspx?ReturnURL=%2fSecureAuth6%2fAuthorized%2fManageAccounts.aspx
and double encoded:
/SecureAuth6/Authorized/ManageAccounts.aspx%3fReturnURL%3d%252fSecureAuth6%252fAuthorized%252fManageAccounts.aspx
Resolution:
Waiting for a fix in a future release of IdP.
Workaround:
1. Edit the respective file for the realm in question:
Self Service D:\SecureAuth\SecureAuthXX\Authorized\AccountUpdate.aspx.vb
Create User D:\SecureAuth\SecureAuthXX\Authorized\CreateUser.aspx.vb
Helpdesk D:\SecureAuth\SecureAuthXX\Authorized\ManageAccounts.aspx.vb
Dim pageRedirect = HttpUtility.UrlEncode(Request.Url.Segments(Request.Url.Segments.Length - 1) + Request.Url.Query)
If Session("PageRedirected") <> "True" And Request.UserAgent.ToLower().Contains("safari") Then
Page.ClientScript.RegisterClientScriptBlock(Me.GetType(), "onLoad", "<script type=""text/javascript"">window.onload=location.href='" & pageRedirect & "';</script>")
Session("PageRedirected") = "True"
End If
3. On the line starting If Session("PageRedirected") Putting in an additional condition to check that the request doesn't contain Edge will fix the problem e.g.:
If Session("PageRedirected") <> "True" And Request.UserAgent.ToLower().Contains("safari") And Not Request.UserAgent.ToLower().Contains("edge") Then4. Save the file.
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products
Comments
Please sign in to leave a comment.