-
FEATURED COMPONENTS
First time here? Check out the FAQ!
Hi:
I've a problem with a call to upload files with zk 8.0.2.2 behind of F5 firewall, cause these call is ranking like a security violation:
Requested URL [HTTPS] /[CONTEXT]/zkau
Security Policy /Common/POLICY_PCI
Virtual Server /Common/TPVS_TEST_2019
Request Status Blocked
Decoded Request <br>
POST /[CONTEXT]/zkau HTTP/1.1 <br>
Host: [URL] <br>
Connection: keep-alive <br>
Content-Length: 337 <br>
sec-ch-ua: "Google Chrome";v="87", " Not;A Brand";v="99", "Chromium";v="87" <br>
sec-ch-ua-mobile: ?0 <br>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 <br>
ZK-SID: 808 <br>
Content-Type: application/x-www-form-urlencoded;charset=UTF-8 <br>
Accept: */* <br>
Origin: https://[URL] <br>
Sec-Fetch-Site: same-origin <br>
Sec-Fetch-Mode: cors <br>
Sec-Fetch-Dest: empty <br>
Referer: https://[URL]/[CONTEXT]/[ZUL_PAGE].zul
Accept-Language: es-419,es;q=0.9
Cookie: JSESSIONID=23C26F76E36EA5F1A01C6428256AA42A; TS01d356d8=01037d2fb315cac4ce1e381dc75b97aa91631a14eed1f1bf062671439ab6eb311321cf929524a8e88a80a2c4a90e62eeb1ec89b1df429b2e737b8751213a5d26db1b8c7fb2; TS01038a28=01037d2fb3d792fc05ba4c32dd732b4a0312b54f64675106a38e3bada913cf058111af1bfefed111501f2238c1fdab84826bcff531
dtid=z_ppm&cmd_0=onAnchorPos&uuid_0=wXBQn&data_0={"top":128,"left":0}&cmd_1=onSelect&uuid_1=wXBQn&data_1={"items":["wXBQ_2"],"reference":"wXBQ_2","clearFirst":false,"selectAll":false,"pageX":207,"pageY":293,"which":1,"x":149,"y":174}
Violation Details <br>
Attack signature detected [1] <br>
Detected Keyword cmd_1=onSelect <br>
Attack Signature ID200000 <br>
Name onselect... (Parameter) <br>
Context Parameter (detected in Form Data) <br>
Parameter Level Global <br>
Actual Parameter Name cmd_1 <br>
Wildcard Parameter Name * <br>
Parameter Value onSelect
can you help me?
Btw your request doesn't indicate any file upload operation.
The request looks correct from a ZK perspective, the onSelect
event is a valid event for a component like a combobox or listbox.
I can't comment on the F5 Firewall, I assume it needs some configuration. however the Attack Signature ID200000
didn't give me any search results so I can't comment on that.
Detected Keyword: cmd_1=onSelect
Attack Signature: ID 200001034 Name onselect... (Parameter) Context: Parameter (detected in Form Data) Actual Parameter Name: cmd_1 Wildcard Parameter Name: *
If that's the parameter the firewall is complaining about -> then you'll have to disable rule, or add an exception for the parameters needed by ZK.
ZK's AU Engine needs a variable number of request parameter, sequenced like cmd_0
, cmd_1
, cmd_2
... (also data_X
and uuid_X
) to allow multiple events to be sent within a single request to the server.
There's no way to disable/change this easily. You have to allow this in your firewall.
An alternative could be to switch to websockets.
Asked: 2021-01-26 02:00:36 +0800
Seen: 15 times
Last updated: Jan 27 '21
Hi:
Thank you, the violation details are:
Violation Details
Attack signature detected [1]
Detected Keyword: cmd_1=onSelect
Attack Signature: ID 200001034 Name onselect... (Parameter) Context: Parameter (detected in Form Data) Actual Parameter Name: cmd_1 Wildcard Parameter Name: *
jstz ( 2021-01-27 04:07:25 +0800 )editParameter Value: onSelect Applied Blocking Settings: Block Alarm Learn
The violation occurs where I try to choose a file to upload to the server.
jstz ( 2021-01-27 04:10:48 +0800 )editThank you for your comments.
One additional question, the parameters cmd0, cmd1, etc, always been used, that is, in previous versions?
Thank you so much.
jstz ( 2021-02-03 03:32:26 +0800 )edityes as long as I've been working with ZK (~8years) this was the case, I think at least since ZK 5, e.g. you can verify that live on https://zkfiddle.org/ down to version 6.5.8.1
cor3000 ( 2021-02-03 09:26:35 +0800 )edithere the related source in case you want need proof for your security guys https://github.com/zkoss/zk/blame/816ef760377f33d245d0b401e8593881b071af7b/zk/src/archive/web/js/zk/au.js
cor3000 ( 2021-02-03 09:28:50 +0800 )edit