HTTP requests with URL larger than 1531 character's return 403 forbidden on access gateway service on windows

  • 7020720
  • 07-Jun-2017
  • 09-Jun-2017

Environment

NetIQ Access Manager 4.3
NetIQ Access Manager 4.2
NetIQ Access Gateway Service on Windows

Situation

Users accessing a protected application behind an Access Gateway Service (AGS) on Windows report getting random 403 status with following message:

You don't have permission to access the requested object

After enabling more debugging on the AGS via the LogLevel advanced option, and looking at the error_log output, we could see that each 403 corresponded to a large URL e.g.  /custom/service/evam_v0_1/rest.php?method=get_logements_by_inquire&input_type=JSON&response_type=JSON&rest_data=%221891,12370,2633,3655,13554,12369,17713,18466,18469,13745,14162,20522,14283,3702,15750,15751,14938,16090,16091,14734,15525,15526,15527,15671,15528,31939,14020,25432,60180,26495,30305,28142,32022,66320,42280,42281,38574,38575,39472,42411,42420,42421,42422,23007,23008,43762,23682,23684,23685,43347,43398,43424,56402,39471,35699,40973,37702,57181,39996,40056,35534,38899,38901,41673,48891,48348,63176,46044,46045,49555,56304,52697,52967,51076,51077,53470,55426,55427,46337,44135,44136,52559,51468,51470,58009,58010,54489,54490,58301,58890,58893,55521,55522,55523,46338,64115,64443,57503,44912,58252,54216,58368,44724,62590,45907,64480,64481,64482,64483,64873,49952,47873,50157,45385,76192,71249,71250,78216,79590,76909,80551,82974,83044,67724,67725,67726,66844,67502,67904,79820,79879,67399,65408,65409,71077,71803,72084,72670,80229,80231,69481,69482,72984,72985,80656,80657,72986,72989,67414,81167,59582,59583,59584,57535,57536,69098,69099,69100,67665,74565,74692,81501,81502,81573,80270,81740,67854,67855,67856,67857,67860,66982,66983,76706,76707,81966,65293,71873,71874,77217,74051,82127,82293,66443,66444,78173,82349,68878,71207,65233,78383,67278,71156,71161,67708,67709,67893,67894,75903,78942,81925,82621,82680,79042,79126,65986,86074,97398,85383,98158,98396,98397,99807,90158,84269,85884,95605,97564,89179,89180,92746,89785,96009,87865,86544,86550,96340,97665,86814,86816,1111%22

After duplicating the issue with the same URL inserted into thr browser, we manually removed strings from the request to determine that anything above 1531 characters in URL fails.

Although there is not specific requirement on the max length of a URL, browsers do limit it e.g. IE restricts URLs to 2033 (https://support.microsoft.com/en-us/help/208427/maximum-url-length-is-2,083-characters-in-internet-explorer).

No option exists on Apache to increase this URL size.

Resolution

Apply NAM 4.3.2 patch update. The hard coded limit has been increased to 3000 which covers the maximum limit put on the uri on all the browsers.

Additional Information

log file snippet:

GET /custom/service/evam_v0_1/rest.php?method=get_logements_by_requerants&input_type=JSON&response_type=JSON&rest_data=%221891,12370,2633,3655,13554,12369,17713,18466,18469,13745,14162,20522,14283,3702,15750,15751,14938,16090,16091,14734,15525,15526,15527,15671,15528,31939,14020,25432,60180,26495,30305,28142,32022,66320,42280,42281,38574,38575,39472,42411,42420,42421,42422,23007,23008,43762,23682,23684,23685,43347,43398,43424,56402,39471,35699,40973,37702,57181,39996,40056,35534,38899,38901,41673,48891,48348,63176,46044,46045,49555,56304,52697,52967,51076,51077,53470,55426,55427,46337,44135,44136,52559,51468,51470,58009,58010,54489,54490,58301,58890,58893,55521,55522,55523,46338,64115,64443,57503,44912,58252,54216,58368,44724,62590,45907,64480,64481,64482,64483,64873,49952,47873,50157,45385,76192,71249,71250,78216,79590,76909,80551,82974,83044,67724,67725,67726,66844,67502,67904,79820,79879,67399,65408,65409,71077,71803,72084,72670,80229,80231,69481,69482,72984,72985,80656,80657,72986,72989,67414,81167,59582,59583,59584,57535,57536,69098,69099,69100,67665,74565,74692,81501,81502,81573,80270,81740,67854,67855,67856,67857,67860,66982,66983,76706,76707,81966,65293,71873,71874,77217,74051,82127,82293,66443,66444,78173,82349,68878,71207,65233,78383,67278,71156,71161,67708,67709,67893,67894,75903,78942,81925,82621,82680,79042,79126,65986,86074,97398,85383,98158,98396,98397,99807,90158,84269,85884,95605,97564,89179,89180,92746,89785,96009,87865,86544,86550,96340,97665,86814,86816,1111%22
[Wed Feb 22 11:46:48 2017] [error] ID:2:1919:creq Host: dev2-asylog.netiq.dev
[Wed Feb 22 11:46:48 2017] [error] ID:2:1919:creq User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64;rv:51.0) Gecko/20100101 Firefox/51.0
[Wed Feb 22 11:46:48 2017] [error] ID:2:1919:creq Accept: */*
[Wed Feb 22 11:46:48 2017] [error] ID:2:1919:creq Accept-Language: null
[Wed Feb 22 11:46:48 2017] [error] ID:2:1919:creq Accept-Encoding: gzip, deflate, br
[Wed Feb 22 11:46:48 2017] [error] ID:2:1919:creq Cookie: ZNPCQ003-35343000=accee47a;PHPSESSID=grjjg5eal471secsj1b9vakev3; ZNPCQ003-33383000=b696a7c0
[Wed Feb 22 11:46:48 2017] [error] ID:2:1919:creq Connection: keep-alive
[Wed Feb 22 11:46:48 2017] [debug] mod_auth_liberty.c(715): AMEVENTID#2: Host Header is dev2-asylog.netiq.dev

###[Wed Feb 22 11:46:48 2017] [info] AM#504600000 AMDEVICEID#ag-6196023149112478: AMAUTHID#: AMEVENTID#2: Requ: GET https://dev2-asylog.netiq.dev/custom/service/evam_v0_1/rest.php?method=get_logements_by_requerants&input_type=JSON&response_type=JSON&rest_data=%221891,12370,2633,3655,13554,12369,17713,18466,18469,13745,14162,20522,14283,3702,15750,15751,14938,16090,16091,14734,15525,15526,15527,15671,15528,31939,14020,25432,60180,26495,30305,28142,32022,66320,42280,42281,38574,38575,39472,42411,42420,42421,42422,23007,23008,43762,23682,23684,23685,43347,43398,43424,56402,39471,35699,40973,37702,57181,39996,40056,35534,38899,38901,41673,48891,48348,63176,46044,46045,49555,56304,52697,52967,51076,51077,53470,55426,55427,46337,44135,44136,52559,51468,51470,58009,58010,54489,54490,58301,58890,58893,55521,55522,55523,46338,64115,64443,57503,44912,58252,54216,58368,44724,62590,45907,64480,64481,64482,64483,64873,49952,47873,50157,45385,76192,71249,71250,78216,79590,76909,80551,82974,83044,67724,67725,67726,66844,67502,67904,79820,79879,67399,65408,65409,71077,71803,72084,72670,80229,80231,69481,69482,72984,72985,80656,80657,72986,72989,67414,81167,59582,59583,59584,57535,57536,69098,69099,69100,67665,74565,74692,81501,81502,81573,80270,81740,67854,67855,67856,67857,67860,66982,66983,76706,76707,81966,65293,71873,71874,77217,74051,82127,82293,66443,66444,78173,82349,68878,71207,65233,78383,67278,71156,71161,67708,67709,67893,67894,75903,78942,81925,82621,82680,79042,79126,65986,86074,97398,85383,98158,98396,98397,99807,90158,84269,85884,95605,97564,89179,89180,92746,89785,96009,87865,86544,86550,96340,97665,86814,86816,1111%22 service:d-dev2-asylog (10.175.134.128:56199->10.176.99.29:443)
[Wed Feb 22 11:46:48 2017] [debug] mod_auth_liberty.c(715): AMEVENTID#3: Host Header is dev2-asylog.netiq.dev
[Wed Feb 22 11:46:48 2017] [info] AM#504600404 AMDEVICEID#ag-6196023149112478: AMAUTHID#: AMEVENTID#2: subreq dev2-asylog.netiq.dev:/NAGErrors/HTTP_FORBIDDEN.html.var
[Wed Feb 22 11:46:48 2017] [debug] mod_cache.c(175): Adding CACHE_SAVE filter for /NAGErrors/HTTP_FORBIDDEN.html.var
[Wed Feb 22 11:46:48 2017] [debug] mod_cache.c(182): Adding CACHE_REMOVE_URL filter for /NAGErrors/HTTP_FORBIDDEN.html.var
[Wed Feb 22 11:46:48 2017] [info] AMEVENTID#3: Cache miss
[Wed Feb 22 11:46:48 2017] [debug] mod_cache.c(701): cache: /NAGErrors/HTTP_FORBIDDEN.html.var not cached. Reason: C014:Response status 403