I am using a form in my index view to "GET" a query string for filtering my table. I end up with a URL like this, "/teams?company=sun".
This one works OK I use "$this->request->query('company');" to get the value. But if I change the parameter value to "sys" (e.g. company=sys) then I get a "404 - File or directory not found" error. I presume sys or system is a reserved word which is causing a problem somewhere.
Is this a bug or is it behaviour that I could catch and override?
IIS was doing SQLInjection attack prevention. I deleted the "SQLInjection" Rule from Request Filtering and it is working now.
Related
I'm trying to access a SSPRS report that has the option to select the year and the month by adding the parameters in the URL as ¶m=value but I always get the default.
This are the parameters and I know I'm sending the correct values in the URL.
This is the report panel where I can select the Year and Month, I'm trying to get the specific report that I need by passing those parameters in the URL.
What could I be doing wrong?
Thank you everyone.
There are a couple of ways these go wrong, I'm guessing your problem is URL encoding of your date parameter, but I'll give you other stuff too. Here is a working URL with 3 parameters: a date, a string, and an integer.
https://db01.MyCompany.com/ReportServer_Prod?/Reports/R440_OutstandingRecp¶mDateEnd=12%2f31%2f2015¶mPropLiab=Property¶mRepPeriod=1
The key parts of this URL:
"https://db01.MyCompany.com/ReportServer_Prod?/" - db01.MyCompany.com is our database VM, and I'm using the "Prod" (production) instance of SQL on it.
NOTE: Check your Reporting Services Configuration application and look at the "Web Service URL" to get what "ReportServer_Prod" is on your installation.
"?/Reports/" is the path to the virtual directory, note that this is different from the path a browser would normally use. Normally my path would be "ReportServer_Prod/Pages/Report.aspx?ItemPath=%2fReports%2fR440_OutstandingRecp" if I was just viewing this from the Reporting Services interface.
Parameters are separated by "&" and it's "ParamName" "=" "ParamValue" so "¶mPropLiab=Property¶mRepPeriod=1" are the string and integer parameters respectively.
Lastly, parameter values are URL encoded if necessary. Mostly it doesn't show up, but for dates and some strings, it becomes necessary. We can't send something like "12/31/2015" because it looks like part of the path, we need a URL encoded string like "12%2f31%2f2015"
Hopefully one (or more) of these were what you needed, reply in the comments if it's still not working or if you need more explanation of why the parts are what they are.
EDIT: One more thing, if a parameter has a "Display" and a "Value" (i.e. in a drop down list) you must pass the value, not the display.
EDIT: I can't make the comment stop hiding my URL, so I'll put it here
WHAT WAS TRIED
https://slo2000/Reports_TECOVA?/Reports/TEXO%20CVA%20Reports%2fTEXO_London_B_CVA_Report&ReportMonth=January&ReportYear=2020
https://slo2000/Reports_TECOVA?/Reports/TEXO%20CVA%20Reports/TEXO_London_B_CVA_Report&ReportMonth=January&ReportYear=2020
https://slo2000/ReportServer_TECOVA?/Reports/TEXO+CVA+Reports/TEXO_London_B_CVA_Report&ReportMonth=January&ReportYear=2020
WHAT WORKS (From #Nacho in comments, brought here for visibility)
http://slo2000/ReportServer_TECOVA/Pages/ReportViewer.aspx?%2TEXO+CVA+Reports%2fTEXO_London_B_CVA_Report&rs:Command=Render&ReportMonth=January&ReportYear=2020
I do a standard pattern in my application - a link to /controller/delete/object_id, then a post form to "confirm", a check if $this->request->is('post') and if true - the controller deletes the object from database.
What is weird is that for a single, particular object_id, my browser (Firefox) forces the form to be a GET one. With any other object_id everything is ok, but with this particular one, despite all declarations within form tag and etc. brower generates a GET request.
Do you have any clue what this might be?! I even tried to use brower's private mode, because I thought it can be some garbage in browser cache, but the bug is still here.
I managed to bypass this problem:
define a specific action in form->create, pointing to your controller' method
add a hidden field with object_id
add some additional code in the controller method to get object_id from $this->request->data, because a hidden post field is not passed as an argument to method, as it is with GET method.
This way, to some unknown reason, it just works. Anyway, I still feel I'm doing something wrong. It's not as "clean" as I would expect.
I don't know if this is bad code on our part, or a bot/spider doing something for tracking purposes. What I'm seeing is our URLs are getting modified, and it's generating site errors and error emails that I'm set up to get when it seems like my site is being hacked.
For example, a URL that should read/load like this
http://site.com/page.asp?pid=915411&order=Date
gets loaded like this
http://site.com/page.asp?pid=-1'&order=Date
the email I get shows
query string = pid=-1%27&order=Date
The IP address that comes up in the error emails always change, but many point to Kiev or Minsk, but are so varied I don't see how I can stop this from happening easily. My site is on an IIS 7.5 server, win2008.
Someone is trying to hack your application. They are testing if your application uses values from the forms or URL directly into SQL statements.
This hacking attempt is easy and called "SQL injection". Check your application if it is vulnerable, fix it immediately if required.
Additionally, try to track the attackers and if you see them coming from a set of IP addresses, block them.
Using HTTP_REEFER we are able to control the URL Modifying on directly.
Try the below code
if Request.ServerVariables("HTTP_REFERER") = "" Then
RESPONSE.WRITE " <b><h1><font color=blue></font><font color=red>UNSECURED MENU ACCESS</font><font color=blue></font><h1></b> "
response.end
End if
I find a problem when i develop application via cakephp.
for example: my url is http://localhost/controller/view/id this is working fine.
BUT, when i append more invalid parameter, it still works,
like http://localhost/controller/view/id/adfasd/adfasdf/asdfasdf/asdfasdf
It should show up 404 page not found.
Shall i need to use $this->passedArgs to check pass parameter manually in controller then throw exception? Or is there any configuration?
How can i deal with this case
Thank you
You should first look here Cakephp, Routing-Named params to find out how to properly use them.
As you should add which one to use, you should also add a regex to your id in the route.
Also when sending the data to an action you should throw the exception there like it is explained here: cakephp deal with passing wrong parameter in url
We have a user that our corporate portal cannot fetch the groups for from AD.
On the portal logs we see this error:
javax.naming.PartialResultException: Unprocessed Continuation Reference(s) remaining name ''
I've Googled for the error and the best symptoms that seem to describe this case and how to resolve it are here: http://www-01.ibm.com/support/docview.wss?uid=swg21232921
Assuming we don't want to change the configuration just because of one user but to amend the data of this specific user can someone please explain me how can recognize this when examining the user's record in the AD? Is this something to do with his groups assignments and if yes then what should I look for?
I just ran into this.
I got around it by setting your InitialDirContext environment to have the Context.REFERRAL key set to "follow".
According to the Javadocs, that key can be "follow", "ignore", or "throw". The default is determined by the provider you use, which is probably "throw".
Check out this link for a bit more data on what your API is telling you: http://www.jspwiki.org/wiki/ActiveDirectoryIntegration
I'm not an expert on this API but can explain at least what I think is going on based upon that doc & knowledge of what AD is doing. :)
AD returns what are called "referrals" when you do searches that have naming contexts outside of this local server/search but in the logical scope of your request. This is per RFC request. Think of a referral as a hint to you the app that there might be more data out there...ie, that is, the AD server is saying "here are the results I have for you but, you should know, there is someone else that might have more...go here to find out."
Referrals aren't an "error" they are a hint to the app.
It seems that your LDAP API is throwing an exception when encountering them. Per the docs I referenced above, it looks like you can either swallow them or chase the referral to find out if there is more data.
add this for env properties
env.put(Context.REFERRAL,"follow");
Also one of the issues that i found was that the incorrect search query string in ldapContext. The incorrect query formed due to wrong format of parameter throws:
javax.naming.PartialResultException: Unprocessed Continuation Reference(s) remaining name ''
But if we add the parameter Context.REFERRAL="follow", then it does not throw an exception but neither does it return result.
The parameter to ldap query string should also match the that is being accepted by LDAP else it will throw the same error.