AnsweredAssumed Answered

SnowSLM script failing to load because of Web Application filter?

Question asked by Snow-good on Aug 24, 2018
Latest reply on Sep 6, 2018 by Snow-good

Block page thrown up by our WAF seeing malicious script in SNOWSLM Gui


Has anyone encountered issues with running SnowSLM webui and script failing to load because of an on premis Web Application filter?

I've been experiencing issues where I could access and log into the SnowSLM webui but when I tried to Sort by column, add columns, switch pages etc, the action would not complete. When I dug down into the issue using the browsers developers tools I could see that the page was throwing up script errors, deeper digging revealed 500 internal server errors.  I switched on FailedRequestLogging on the IIS and didn't see any 500 (or any errors) it wasn't the Snow server.


Seeing 500 errors thrown up using developer tools.


When I went back to the developer tools I noticed that some of the URLs that were trying to run weren't loading - I became aware that it was our Web Application Filter blocking the script from loading because the Snow script matched a malicious signature triggering on a known vulnerability labelled "ASP CGI Argument Injection Exploit".

The only way that I could get the page to load correctly was by disabling the specific vulnerability signature from being checked.


***************************Additional Info************************* 07/09/18


The vulnerability itself that this signature is defending against is
  CVE-2010-3332 - - which refers
  to the .NET framework. The specific detail the signature description gives


    * This signature prevents attackers from accessing embedded resources
      through a URL with "WebResource.axd" or "ScriptResource.axd". This
      attack can be achieved in HTTP request URL.


***************************Additional Info************************* [end]




So now we have disabled that specific vulnerability signature from being checked we are now vulnerable to  the "ASP CGI Argument Injection Exploit".


My question is;  Has anyone else come across this?  Is there a patch from snow to fix this?


Our Web Application filter is a Fortinet device.


Any discussion would be welcomed.