Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Pavani r (Pavanir6)

IN
Pavanir6 Member since 2016 113 posts
Posted: Mar 7, 2018
Last activity: Aug 31, 2018
Posted: 7 Mar 2018 2:23 EST
Last activity: 31 Aug 2018 12:37 EDT
Closed
Solved

URLAccessModeWarn:URLAccessPermitted URLAccessDetail CSRFAttack

I am working on Pega 7.1.8. I see many logs and thread dumps in production. I see the logs as "URLAccessModeWarn:URLAccessPermitted URLAccessDetail CSRFAttack"

I read few posts in PDN but could not find a solution.Please help.

***Moderator Edit: Vidyaranjan | Updated Categories***

To see attachments, please log in.
System Administration

Accepted Solution

Posted: 6 years ago
Posted: 18 Apr 2018 7:58 EDT
Marty Solomon (SOLOM) Senior Director Software Security Architecture
Pegasystems Inc.
US

The warnings reported in the log are false positives, so there is no issue to resolve, other than eliminating the reporting of these by suppressing the messages.  The only way to do this is to change the setting as directed above.  Pega has been working on resolving this at the root level and is in the process of developing a solution for this.

To see attachments, please log in.
Posted: 6 years ago
Posted: 12 Mar 2018 6:00 EDT
Chandrasekhar Gollamudi VN (chandrasekhar_g)
PEGA
Senior Manager, Technical Support - Runtime Engine and Search
Pegasystems Inc.
IN

Hi Pavani,

You can try with first option as mentioned in article : 

These warnings can be disabled entirely using a prconfig setting.

Also to disable these warning messages entirely, one can use the following prconfig.xml file entry:
<env name="security/urlaccessmode" value="allow" />

 

To see attachments, please log in.

Accepted Solution

Posted: 6 years ago
Posted: 18 Apr 2018 7:58 EDT
Marty Solomon (SOLOM) Senior Director Software Security Architecture
Pegasystems Inc.
US

The warnings reported in the log are false positives, so there is no issue to resolve, other than eliminating the reporting of these by suppressing the messages.  The only way to do this is to change the setting as directed above.  Pega has been working on resolving this at the root level and is in the process of developing a solution for this.

To see attachments, please log in.
Posted: 6 years ago
Posted: 31 Aug 2018 1:52 EDT
Gaurav Sharma (gasharma)
DXC
Principal Consultant
DXC
AU

Hi All,

We are seeing the same issue in PEGA 7.3.1 version also, need to know if the following is false positive alarm can we have HFIX at the code level to fix this issue once for all, as the suggested DSS change is not suggested to be used in the production system.

To see attachments, please log in.
Posted: 6 years ago
Posted: 31 Aug 2018 12:37 EDT
Marty Solomon (SOLOM) Senior Director Software Security Architecture
Pegasystems Inc.
US

Yes, this is a false positive in 7.3.1 also.  There is no need for a hot fix to disable these messages, the configuration setting will suffice and is appropriate for production.  

To see attachments, please log in.

Related content:

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice