Certain character combinations in script causing 403 when saving

JSt
New Contributor II

EDIT: This seems to be an issue effecting multiple JamfCloud hosted environments. I have Logged a support case with Jamf, as have other community members.
I will keep this thread up to date with any information from Jamf Support.

 

On two JAMFCloud Jamf Pro instances, running version 10.40.1-t1659581750

 

I am unable to save a particular script into Jamf, as every time I press Save it results in a 403 - Access Denied

403 error

Whilst debugging this I have found that there are certain character combinations that cause this error.

If I try to save a script with the following text only, I will get the 403 error

${a:}${}

 

glitch text 1

 

the "a" parameter / var can be swapped with any letter or number and it will still cause the error

If the curly braces are not touching the last $ it will save fine, if they are touching however it will error.

There can be text in between the first ${a:} and the second ${} and it will still crash.
The lines can even be commented out, and it will still crash

e.g. the below will still crash -

#

#${a:}

### asd

#${}

 

glitch text 2

This looks like some strange buffer overflow happening, or validation error crashing the console - rather than an actual access denied, as it is only happening with specific commands.

Does the same happen for anyone else, and is there a reason for this that can be avoided? Or is it a Bug

 

 

1 ACCEPTED SOLUTION

shannon_pasto
Contributor

FYI - Jamf have advised that they recently made a Web Application Firewall (WAF) change that's causing this. You'll need to contact Jamf support with all of your WAN/external IPs to get them whitelisted. If you're working from home and on DHCP with your ISP you'll need to contact Jamf each time it changes. 

I can appreciate that this is a security measure but it's a major annoyance as fas as I'm concerned. I've expressed my concern and asked for the issue to be escalated. In the meantime send Jamf your IPs or use Jamf Admin to upload new/edited scripts.

Cheers,

Shannon

View solution in original post

16 REPLIES 16

Shaunn_brown
New Contributor II

This is happening to me also, on at least 2 JAMFCloud.com instances - 

VERSION

10.40.1-t1659581750

It does not happen to me on a JAMF Pro On-Prem, 

VERSION

10.37.2-t1648851072

 

 

JSt
New Contributor II

Yes i have two instances running in Jamfcloud and both are showcasing this issue.
Looks to be an issue their end then

Shaunn_brown
New Contributor II

Will you be opening a support ticket on it?

JSt
New Contributor II

I certainly will now I know its not just me who is affected, thanks for the reply

Brett_Cox
New Contributor III

I have this issue as well.  Noticed it yesterday (Sep-8-2022)

JSt
New Contributor II

interesting, I know my jamfcloud instance was updated this week so potentially related to this recent update.

npynenberg
Contributor

Same for our cloud instance. I opened a ticket.

shannon_pasto
Contributor

FYI - Jamf have advised that they recently made a Web Application Firewall (WAF) change that's causing this. You'll need to contact Jamf support with all of your WAN/external IPs to get them whitelisted. If you're working from home and on DHCP with your ISP you'll need to contact Jamf each time it changes. 

I can appreciate that this is a security measure but it's a major annoyance as fas as I'm concerned. I've expressed my concern and asked for the issue to be escalated. In the meantime send Jamf your IPs or use Jamf Admin to upload new/edited scripts.

Cheers,

Shannon

Shaunn_brown
New Contributor II

wow, I am now glad I've got more On-Prem JAMF's than Cloud... still gonna be a pain in the .. .. .. neck.

I gotta ask though, what did you mean use JAMF Admin to upload new and edited scripts. I've never seen that capability in it. Packages yes, scripts no.

JSt
New Contributor II

You can actually just drag text files into the scripts area via JamfAdmin, and then rename them to .sh

This is the workaround we have been using so far, following the 403 issues on the web ui

the process is explained here: https://docs.jamf.com/10.24.1/jamf-pro/administrator-guide/Managing_Scripts.html

Shaunn_brown
New Contributor II

Many thanks! Totally makes sense that it would work like that, I just hadn't dug into JAMF Admin that far yet. 

Brett_Cox
New Contributor III

As of today (Sep. 09, 2022) the issue is no longer showing up.  I can create new and modify existing scripts without seeing the 403 error.  No changes were made by me or JAMF (That I know of) in regards to IP address listings.

JSt
New Contributor II

How strange, I am also now not seeing the issue!
Thanks for bringing to my attention!

batterprize
New Contributor

I have this issue as well.  Noticed it yesterday

shannon_pasto
Contributor

I have an update on this one. I escalated to my customer success manager and was given some further information after a bit more of investigation. There appears to have been a temporary WAF rule issue which was causing this on Jamf Cloud. It's now been resolved which is why it has gone for most people (including me).

There is also a know issue with saving scripts with illegal characters in them. It's specific sequence...

:-<letter>

 where "<letter>" is just any letter. That's a colon followed by a dash followed by any character. This will cause the 403 error so check your scripts.

Hope this helps everyone