Last Modified: Apr 10, 2019
See more info
Known Affected Versions:
11.4.1, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5
12.0.0, 11.6.0 HF6, 11.5.4
Opened: Apr 20, 2015
Large requests (over 5K) arrive truncated to the server when web scraping bot detection is enabled, or a brute force/session opening attack is ongoing with client-side mitigation.
The client side challenge mechanism causes a truncation of the request forwarded to the server. Only the first 5k of the request arrives to the server.
The request size is between 5k-10k. Web scraping bot detection is turned on, or a brute force/session opening attack is ongoing with client-side mitigation.
Change the internal parameter size max_raw_request_len to 10000.
The system's client-side challenge mechanism no longer truncates large requests (those over 5K) forwarded to the server.