DA 7.2.0400.0089 in HTTP mode in Windows 10 gives /webtop/Intrusion error, it does not so in Windows

Options
Leendert
Leendert
in Documentum #1

What causes the following error / what can I do to get this solved? When starting DA in http transfer mode in windows 10 we get the following error:

org.owasp.esapi.errors.ValidationException: HTTP Parameter Value: XSS:__dmfTargetWindowName: Invalid input. Please conform to regex ^[\p{L}\p{N}.-/+=_ !$?@]{0,1000}$ with a maximum length of 4096
at org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist(StringValidationRule.java:144)
at org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist(StringValidationRule.java:160)
at org.owasp.esapi.reference.validation.StringValidationRule.getValid(StringValidationRule.java:284)
at org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:214)
at org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:185)
at com.documentum.web.security.validators.WDKESAPIValidator.getValidParameterValue(Unknown Source)
at com.documentum.web.form.FormRequest$ModalPopupProperties.(FormRequest.java:974)
at com.documentum.web.form.FormRequest$ModalPopupProperties.(FormRequest.java:947)
at com.documentum.web.form.FormRequest.getModalPopupProperties(FormRequest.java:310)
at com.documentum.web.form.FormRequest.isInModalPopupMode(FormRequest.java:276)
at com.documentum.web.form.FormHistory.createSuccessorSnapshot(Unknown Source)
at com.documentum.web.form.FormProcessor.processBindWithRequestId(Unknown Source)
at com.documentum.web.form.FormProcessor.bindFormHistory(Unknown Source)
at com.documentum.web.form.FormProcessor.processAction(Unknown Source)
at com.documentum.web.form.FormAction.processAction(FormAction.java:107)
at com.documentum.web.env.WDKController.doStartRequest(Unknown Source)
at com.documentum.web.env.WDKController.processRequest(Unknown Source)
at com.documentum.web.env.WDKController.doFilter(Unknown Source)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:685)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
2019-05-29 10:51:49,702 WARN [tomcat-http--4] IntrusionDetector - [SECURITY FAILURE Anonymous:null@unknown -> /webtop/IntrusionDetector] Invalid input: context=HTTP Parameter Value: XSS:__dmfTargetWindowName, type(HTTPParameterValue)=^[\p{L}\p{N}.-/+=_ !$?@]{0,1000}$, input=CT{}
org.owasp.esapi.errors.ValidationException: HTTP Parameter Value: XSS:__dmfTargetWindowName: Invalid input. Please conform to regex ^[\p{L}\p{N}.-/+=_ !$*?@]{0,1000}$ with a maximum length of 4096
at org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist(StringValidationRule.java:144)
at org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist(StringValidationRule.java:160)
at org.owasp.esapi.reference.validation.StringValidationRule.getValid(StringValidationRule.java:284)
at org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:214)
at org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:185)

Comments

  • T_Steele
    T_Steele E
    #2
    Options

    @Leendert Your issue appears to be caused by having Cookie Validation enabled in the DA app.xml.

    If you go to DA/wdk/app.xml there should be a param:

    change true to false. Clear app server cache and restart the application. That should clear up the error.

  • Leendert
    Leendert
    #3
    Options

    Thank you for the answer. However, there is no such cookie_validation parameter defined for DA /. webtop. Instead I assigned the value false to the parameter (validates HTTP parameters), cleared the web cache and restarted. Still same error. with IE in Windows 10. In When using chrome, no problem.

Categories