locked
UAG Login Page input validation issue RRS feed

  • Question

  • Hi,

    During security audit auditor reported following issue:

    If the value of 'Username'  field contains an asterisk (*), the application displays an error page instead of the normal 'Authentication failed.' message.

    Body of error page is following:

    You have attempted to access a restricted URL.
    The URL contains an invalid parameter.
    Navigate back and follow another link, or type in a different URL
    .

    URL is this (sitename masked): https://<sitename/InternalSite/InternalError.asp?site_name=<site>&secure=1&error_code=20&policy_id= . I can't find anything from google/bing related to this.

    And also problem is I can't find any place where this false logon attempt is logged. I think UAG should show bit more informal message than just this "basic error".

    Does this sound familiar? This can be reproduce also with OOB installation.

    Any help is appreciated.

    BR,

    Snendis

     

    Wednesday, October 27, 2010 2:24 PM

Answers

  • I believe that asterisk is an invalid character.

    Check out the URL inpsection tab of your trunk configuration.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Wednesday, November 24, 2010 7:37 PM
    Wednesday, October 27, 2010 11:06 PM
  • Hi Amig@ There is a description here http://technet.microsoft.com/en-us/library/dd861438.aspx of the URL inspection features. Maybe that can help. Check also the IAG User Guide and Advanced User guide for a more detailed description of the capabilities Hope it helps
    // Raúl - I love this game
    • Marked as answer by Erez Benari Wednesday, November 24, 2010 7:37 PM
    Thursday, October 28, 2010 11:03 AM

All replies

  • I believe that asterisk is an invalid character.

    Check out the URL inpsection tab of your trunk configuration.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Wednesday, November 24, 2010 7:37 PM
    Wednesday, October 27, 2010 11:06 PM
  • Hi Jason,

    That's indeed invalid character. I checked that already.

    I was bit unclear what I requested here.

    Security Audit team told this could pose an LDAP injection and I don't really agree with them. I would need to provide an explanation to them, and maybe if I would get "official" reference that UAG is built to handle these invalid characters this way and doesn't really pose a LDAP injection as Sec Audit stated.

    Comments?

    -Snendis

    Thursday, October 28, 2010 8:04 AM
  • Hi Amig@ There is a description here http://technet.microsoft.com/en-us/library/dd861438.aspx of the URL inspection features. Maybe that can help. Check also the IAG User Guide and Advanced User guide for a more detailed description of the capabilities Hope it helps
    // Raúl - I love this game
    • Marked as answer by Erez Benari Wednesday, November 24, 2010 7:37 PM
    Thursday, October 28, 2010 11:03 AM