Dear all,
I have added a new proc, ::util::reject_request_filter, to acs-tcl in CVS HEAD. It is intended as a small helper for administrators who want to reject unwanted request paths very early in request processing.
Background: recently, CVE-2026-35273 was opened for a vulnerability in Oracle PeopleSoft. This vulnerability is checked by security scanners such as Nessus. Although this issue is not related to OpenACS at all, we saw a false positive reported against an OpenACS installation.
The reason was that the scanner sent an HTTP probe request containing a magic string. OpenACS then redirected the request to the canonical location. The redirect response contained the original request parameter, including the magic string, in the Location header. The scanner apparently interpreted this reflected string as evidence for the PeopleSoft vulnerability, although the response was just a normal NaviServer/OpenACS redirect.
To avoid such redirects for foreign probe paths, the request has to be interrupted very early, before the OpenACS request processor is fully initialized with the usual request context. Writing such a filter is therefore not completely trivial and deserves framework support.
The new proc is documented here:
util::reject_request_filter
If you are a sysadmin and want to use it, update OpenACS core or add the proc to your local definitions, and register a filter such as:
ns_register_filter -first preauth POST /PSEMHUB/* ::util::reject_request_filter "PeopleSoft probe"
For example, this can be added near the end of:
packages/acs-tcl/tcl/admin-init.tcl
This does not fix an OpenACS vulnerability — there is none in this case — but it can avoid misleading scanner results and suppress unnecessary redirects for well-known foreign application probe paths.
Maybe someone will find this helpful.
All the best,
-g
