-
FEATURED COMPONENTS
First time here? Check out the FAQ!
Hi:
I've a problem with a call to upload files with zk 8.0.2.2 behind of F5 firewall, cause these call is ranking like a security violation:
Requested URL [HTTPS] /[CONTEXT]/zkau
Security Policy /Common/POLICY_PCI
Virtual Server /Common/TPVS_TEST_2019
Request Status Blocked
Decoded Request <br>
POST /[CONTEXT]/zkau HTTP/1.1 <br>
Host: [URL] <br>
Connection: keep-alive <br>
Content-Length: 337 <br>
sec-ch-ua: "Google Chrome";v="87", " Not;A Brand";v="99", "Chromium";v="87" <br>
sec-ch-ua-mobile: ?0 <br>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 <br>
ZK-SID: 808 <br>
Content-Type: application/x-www-form-urlencoded;charset=UTF-8 <br>
Accept: */* <br>
Origin: https://[URL] <br>
Sec-Fetch-Site: same-origin <br>
Sec-Fetch-Mode: cors <br>
Sec-Fetch-Dest: empty <br>
Referer: https://[URL]/[CONTEXT]/[ZUL_PAGE].zul
Accept-Language: es-419,es;q=0.9
Cookie: JSESSIONID=23C26F76E36EA5F1A01C6428256AA42A; TS01d356d8=01037d2fb315cac4ce1e381dc75b97aa91631a14eed1f1bf062671439ab6eb311321cf929524a8e88a80a2c4a90e62eeb1ec89b1df429b2e737b8751213a5d26db1b8c7fb2; TS01038a28=01037d2fb3d792fc05ba4c32dd732b4a0312b54f64675106a38e3bada913cf058111af1bfefed111501f2238c1fdab84826bcff531
dtid=z_ppm&cmd_0=onAnchorPos&uuid_0=wXBQn&data_0={"top":128,"left":0}&cmd_1=onSelect&uuid_1=wXBQn&data_1={"items":["wXBQ_2"],"reference":"wXBQ_2","clearFirst":false,"selectAll":false,"pageX":207,"pageY":293,"which":1,"x":149,"y":174}
Violation Details <br>
Attack signature detected [1] <br>
Detected Keyword cmd_1=onSelect <br>
Attack Signature ID200000 <br>
Name onselect... (Parameter) <br>
Context Parameter (detected in Form Data) <br>
Parameter Level Global <br>
Actual Parameter Name cmd_1 <br>
Wildcard Parameter Name * <br>
Parameter Value onSelect
can you help me?
Detected Keyword: cmd_1=onSelect
Attack Signature: ID 200001034 Name onselect... (Parameter) Context: Parameter (detected in Form Data) Actual Parameter Name: cmd_1 Wildcard Parameter Name: *
If that's the parameter the firewall is complaining about -> then you'll have to disable rule, or add an exception for the parameters needed by ZK.
ZK's AU Engine needs a variable number of request parameter, sequenced like cmd_0
, cmd_1
, cmd_2
... (also data_X
and uuid_X
) to allow multiple events to be sent within a single request to the server.
There's no way to disable/change this easily. You have to allow this in your firewall.
An alternative could be to switch to websockets.
Btw your request doesn't indicate any file upload operation.
The request looks correct from a ZK perspective, the onSelect
event is a valid event for a component like a combobox or listbox.
I can't comment on the F5 Firewall, I assume it needs some configuration. however the Attack Signature ID200000
didn't give me any search results so I can't comment on that.
Asked: 2021-01-26 02:00:36 +0800
Seen: 15 times
Last updated: Jan 27 '21
Hi:
Thank you, the violation details are:
Violation Details
Attack signature detected [1]
Detected Keyword: cmd_1=onSelect
Attack Signature: ID 200001034 Name onselect... (Parameter) Context: Parameter (detected in Form Data) Actual Parameter Name: cmd_1 Wildcard Parameter Name: *
jstz ( 2021-01-27 04:07:25 +0800 )editParameter Value: onSelect Applied Blocking Settings: Block Alarm Learn
The violation occurs where I try to choose a file to upload to the server.
jstz ( 2021-01-27 04:10:48 +0800 )editThank you for your comments.
One additional question, the parameters cmd0, cmd1, etc, always been used, that is, in previous versions?
Thank you so much.
jstz ( 2021-02-03 03:32:26 +0800 )edityes as long as I've been working with ZK (~8years) this was the case, I think at least since ZK 5, e.g. you can verify that live on https://zkfiddle.org/ down to version 6.5.8.1
cor3000 ( 2021-02-03 09:26:35 +0800 )edithere the related source in case you want need proof for your security guys https://github.com/zkoss/zk/blame/816ef760377f33d245d0b401e8593881b071af7b/zk/src/archive/web/js/zk/au.js
cor3000 ( 2021-02-03 09:28:50 +0800 )edit