Cannot Access Pls Pages: 'mod_security: Access denied with code 400'

幫朋友解決的

Oracle EBS11I

[@more@]

錯誤現象:
- 從IE方式form進不去,CGI可以進去

- [Thu Oct 11 18:02:29 2007] [error] [client 10.4.105.73]
mod_security: Access denied with code 400. Pattern match "!^/pls/[-a-z0-9_]+
/!?[a-z](([a-z0-9_$#]){0,29})(.[a-z](([a-z0-9_$#]){0,29})){0,2}(?.*){0,1}$" at REQUEST_URI.
[hostname "misp4.bj.cmcc"] [uri "/pl
s/BJNPRD/fnd_icx_launch.launch?resp_app=SYSADMIN&resp_key=SYSTEM_ADMINISTRATOR&secgrp_k

解決：

In this Document
Symptoms
Changes
Cause
Solution

--------------------------------------------------------------------------------

Applies to:
Oracle Applications Technology Stack - Version: 11.5.10
This problem can occur on any platform.

Symptoms
After applied security update patches for April 2006 when accessing pls HTML DB pages() the following error occurs:

ERROR
[Mon Jul 24 11:05:42 2006] [error] [client 11.22.33.44] mod_security: Access denied with code 400. Pattern match
"!^/pls/[-a-z0-9_]+/[a-z](([a-z0-9_$#]){0,29})(.[a-z](([a-z0-9_$#]){0,29})){0,2}(?.*){0,1}$" at REQUEST_URI.hostname "paydev02.ppa.mod.uk"] [uri "/pls/htmldb"] [unique_id RMSbdgoCACwALJCqGjw]

Changes
Applied security update patches for April 2006 delivering version 115.7 of the template security_ux_ias1022.conf
Cause
The example from security.conf need to be customized for partial url's which are not fully formed and thus rely on a default page (that is specified at the serverside). htmldb is an example of a product that relies on these.

#

## Allow requests for path alias requests
# SecFilterSelective "REQUEST_URI" ^/pls/[-a-z0-9_]+/fndgfm/fnd_gfm.get/ "allow,nolog"
# SecFilterSelective "REQUEST_URI" ^/pls/[-a-z0-9_]+/fndgfm/fnd_help.get/ "allow,nolog"

## Make sure the package name contains only schema-valid subset of 7-bit
## ascii, max 3 elements, each <= 30 characters, starting with a letter
#SecFilterSelective "REQUEST_URI" !^/pls/[-a-z0-9_]+/[a-z](([a-z0-9_$#]){0,29})(.[a-z](([a-z0-9_$#]){0,29})){0,2}(?.*){0,1}$

## Make sure the parameter names contains only valid subset of 7-bit ascii
#SecFilterSelective "ARGS_NAMES" !^[a-z]([a-z0-9_]){0,29}$

#

Solution
When possible upgrade to Patch 5107107 TXK (FND & ADX) AUTOCONFIG ROLLUP PATCH N (AUGUST 2006) or higher. This patch delivers the template security_ux_ias1022.conf 115.12 including the missing line.

A temporary work-around until newer version of the template can be implemented is the following

Navigate to $AD_TOP/admin/template
Backup the current security_ux_ias1022.conf to security_ux_ias1022.conf.org
Open the security_ux_ias1022.conf in a text-editor
Add the line rendered in bold

## Allow requests for path alias requests
SecFilterSelective "REQUEST_URI" ^/pls/[-a-z0-9_]+/fndgfm/fnd_gfm.get/ "allow,nolog"
SecFilterSelective "REQUEST_URI" ^/pls/[-a-z0-9_]+/fndgfm/fnd_help.get/ "allow,nolog"

## Allow for partial urls for default pages. i.e. /pls/sid or /pls/sid/
SecFilterSelective "REQUEST_URI" ^/pls/[-a-z0-9_]+$ "allow,nolog"

## Make sure the package name contains only schema-valid subset of 7-bit
## ascii, max 3 elements, each <= 30 characters, starting with a letter
SecFilterSelective "REQUEST_URI" !^/pls/[-a-z0-9_]+/[a-z](([a-z0-9_$#]){0,29})(.[a-z](([a-z0-9_$#]){0,29})){0,2}(?.*){0,1}$

## Make sure the parameter names contains only valid subset of 7-bit ascii
SecFilterSelective "ARGS_NAMES" !^[a-z]([a-z0-9_]){0,29}$

Save the changes
Run Autoconfig
Verify the $IAS_ORACLE_HOME/Apache/Apache/conf/security.conf now includes this new line
Keywords

另外的方案
apache
編輯檔案/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf

註釋掉此句(也就是在前面加"#")：
SecRule REQUEST_HEADERS:Host "^[d.]+$" "deny,log,auditlog,status:400,msg:'Host header is a numeric IP address', severity:'2',id:'960017'

然後重啟服務httpd
這樣子應該還是會存在安全漏洞。

Cannot Access Pls Pages mod_security Access denied with code 400