This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PROBLEM Sopos UTM AH00026: found %2f (encoded '/')

Hello Everyone

Any way to fix this problem from Sophos UTM GUI?
We want to publish our webapplication but we are facing some problems with "/" decoding.

Was this Problem solved before?

LOG FROM SOPHOS:

2020:06:22-15:13:58 firewall-1 httpd[29313]: [core:notice] [pid 29313:tid 3750837104] [client xxxxxxx] AH00026: found %2f (encoded '/') in URI (decoded='/core/rest/secure/media/storeFileContent/test/TestP.ruletree'), returning 404

 

Our SOPHOS Firewall SG310 UTM 9 (Firmware version: 9.702-1)



This thread was automatically locked due to age.
Parents
  • I recognize this is a message from the Web Application Firewall log.

    It means that it has detected what appears to be a web URL trying to play tricks, because the request includes a slash which is entered as a hex sequence rather than a slash character.

    The WAF blocked the request.   Status code 404 was returned to the user, which means "Forbidden"

    If you are sure that you need this to be allowed, you will need to figure out which rule is involved.   You are looking for a long entry containing a token of the form [id 999999].  Then you add that rule ID to the exceptions list.   Perhaps the token is in part of this message that you did not include, or perhaps it is in an adjacent message.   WAF messages can stretch across multiple log entries.

    Most of the UTM WAF configuration options have the effect of enabling or disabling an entire category of rules.   So another way to experiment is to turn off WAF options until you find the one  that blocks the request when enabled, and allows it when disabled.   Just remember that you have disabled a category by this method, not just one rule.

    If you cannot find the right way to override, you will need to get Sophos support involved.

Reply
  • I recognize this is a message from the Web Application Firewall log.

    It means that it has detected what appears to be a web URL trying to play tricks, because the request includes a slash which is entered as a hex sequence rather than a slash character.

    The WAF blocked the request.   Status code 404 was returned to the user, which means "Forbidden"

    If you are sure that you need this to be allowed, you will need to figure out which rule is involved.   You are looking for a long entry containing a token of the form [id 999999].  Then you add that rule ID to the exceptions list.   Perhaps the token is in part of this message that you did not include, or perhaps it is in an adjacent message.   WAF messages can stretch across multiple log entries.

    Most of the UTM WAF configuration options have the effect of enabling or disabling an entire category of rules.   So another way to experiment is to turn off WAF options until you find the one  that blocks the request when enabled, and allows it when disabled.   Just remember that you have disabled a category by this method, not just one rule.

    If you cannot find the right way to override, you will need to get Sophos support involved.

Children
No Data