This request will not be considered, as vulnerability issues may occur when transferring additional parameters to the server.
We're using version : 13.0 Build 13011
One of my user's signs in using SAML and get the above error (translation see Title of my post).
It seems like the authentication itself was successful:
[09:17:13:089]|[05-08-2023]|[com.manageengine.servicedesk.authentication.saml.servlet.SamlResponse]|[INFO]|[916]: User found using nameid :: users-email@removed.de username :: users-login-removed domainname :: -|
[09:17:13:089]|[05-08-2023]|[com.adventnet.authentication.saml.SamlResponseServelt]|[INFO]|[916]: User has been Authenticated Successfully|
In the log I found the following entries:
[09:17:13:169]|[05-08-2023]|[com.adventnet.servicedesk.filter.EncodingFilter]|[INFO]|[925]: EncodingFilter called |
[09:17:13:170]|[05-08-2023]|[com.manageengine.mdh.MDHSettings]|[INFO]|[915]: Service desk instance ID not found in Cookie|
[09:17:13:171]|[05-08-2023]|[com.manageengine.mdh.MDHFilter]|[INFO]|[915]: PORTALID : 1|
[09:17:13:172]|[05-08-2023]|[com.manageengine.servicedesk.sdpapi.v2.servlet.SDPAPIV2Servlet]|[INFO]|[925]: time taken:{init=0, after writing response=3, getting handler=1, getting response obj=2, start=1683530233169, got entityObj=1}|
[09:17:13:224]|[05-08-2023]|[com.adventnet.servicedesk.util.RememberMeUtil]|[INFO]|[915]: inside of ---> getCookieValue from RememberMeUtil, cookieName : sdplogincsrfcookie;|
[09:17:13:224]|[05-08-2023]|[com.adventnet.servicedesk.filter.RememberMe]|[INFO]|[915]: successMessage : null; isRequestedSessionIdValid : true|
[09:17:13:224]|[05-08-2023]|[com.adventnet.servicedesk.util.RememberMeUtil]|[INFO]|[915]: inside of ---> getCookieValue from RememberMeUtil, cookieName : febbc30d;|
[09:17:13:224]|[05-08-2023]|[com.adventnet.servicedesk.util.RememberMeUtil]|[INFO]|[915]: inside of ---> ###removeRememberMeDetails from RememberMeUtil, febbc30d cookieValue : null;|
[09:17:13:224]|[05-08-2023]|[com.adventnet.servicedesk.util.RememberMeUtil]|[INFO]|[915]: inside of ---> getCookieValue from RememberMeUtil, cookieName : username;|
[09:17:13:233]|[05-08-2023]|[com.adventnet.persistence.interceptor.NotificationPersistenceInterceptor]|[WARNING]|[915]: Empty Notification is being notified. Please check it ...|
[09:17:13:251]|[05-08-2023]|[com.manageengine.mdh.MDHFilter]|[INFO]|[936]: PORTALID : 1|
[09:17:13:251]|[05-08-2023]|[com.adventnet.servicedesk.util.RememberMeUtil]|[INFO]|[936]: inside of ---> getCookieValue from RememberMeUtil, cookieName : sdplogincsrfcookie;|
[09:17:13:251]|[05-08-2023]|[com.adventnet.servicedesk.util.RememberMeUtil]|[INFO]|[936]: inside of ---> getCookieValue from RememberMeUtil, cookieName : JSESSIONIDSSO;|
[09:17:13:251]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[936]: SdpSecurityFilter called |
[09:17:13:251]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[936]: RequestURI::::::: /setup/UserDetails.jsp|
[09:17:13:251]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[936]: urlRule::::::: URLRule :: path = "/setup/UserDetails.jsp" urlInRegex = "false"|
[09:17:13:251]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[936]: actionParamValue::::::: null|
[09:17:13:251]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[936]: actionRule::::::: ActionRule :: Path : "/setup/UserDetails.jsp" method :"GET"" isCSRFProtected : "false" internal : "false" trusted : "false" roles : "ViewRequester,SDGuest" dynamicParams : "false" api : "false" isc : "false" authentication : "required" throwAllErrors : "false" urlXSSValidation : "true" ipBlockCheck : "false" loginThrowError : "false "" iscScope : "null" runAsGroupIdParam : "null" runAsGroupTypeParam : "null "isThrottlesConfigured : "true "dynamic-throttles : "false|
[09:17:13:257]|[05-08-2023]|[com.adventnet.servicedesk.filter.EncodingFilter]|[INFO]|[936]: EncodingFilter called |
[09:17:13:259]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[915]: SdpSecurityFilter called |
[09:17:13:259]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[915]: RequestURI::::::: /HomePage.do|
[09:17:13:259]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[915]: urlRule::::::: URLRule :: path = "/HomePage.do" actionParamName = "action" urlInRegex = "false"|
[09:17:13:259]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[915]: actionParamValue::::::: null|
[09:17:13:259]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[915]: actionRule::::::: ActionRule :: Path : "/HomePage.do" method :"GET"" isCSRFProtected : "false" internal : "false" trusted : "false" roles : "" dynamicParams : "false" api : "false" isc : "false" authentication : "required" throwAllErrors : "false" urlXSSValidation : "true" ipBlockCheck : "false" loginThrowError : "false "" iscScope : "null" runAsGroupIdParam : "null" runAsGroupTypeParam : "null "isThrottlesConfigured : "true "dynamic-throttles : "false|
[09:17:13:261]|[05-08-2023]|[com.manageengine.mdh.MDHFilter]|[INFO]|[921]: PORTALID : 1|
[09:17:13:261]|[05-08-2023]|[com.adventnet.servicedesk.util.RememberMeUtil]|[INFO]|[921]: inside of ---> getCookieValue from RememberMeUtil, cookieName : sdplogincsrfcookie;|
[09:17:13:261]|[05-08-2023]|[com.adventnet.servicedesk.util.RememberMeUtil]|[INFO]|[921]: inside of ---> getCookieValue from RememberMeUtil, cookieName : JSESSIONIDSSO;|
[09:17:13:261]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[921]: SdpSecurityFilter called |
[09:17:13:261]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[921]: RequestURI::::::: /api/v3/support_group_role_associations/_total_count|
[09:17:13:261]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[921]: urlRule::::::: URLRule :: path = "/api/v3/support_group_role_associations/_total_count" urlInRegex = "false"|
[09:17:13:261]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[921]: actionParamValue::::::: null|
[09:17:13:261]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[921]: actionRule::::::: ActionRule :: Path : "/api/v3/support_group_role_associations/_total_count" method :"GET"" isCSRFProtected : "false" internal : "false" trusted : "false" roles : "SDAdmin,SDSiteAdmin" dynamicParams : "false" api : "true" isc : "false" authentication : "required" throwAllErrors : "false" urlXSSValidation : "true" ipBlockCheck : "false" loginThrowError : "false "" iscScope : "null" runAsGroupIdParam : "null" runAsGroupTypeParam : "null "isThrottlesConfigured : "true "dynamic-throttles : "false|
[09:17:13:261]|[05-08-2023]|[com.adventnet.iam.security.URLRule]|[SEVERE]|[915]: Extra parameter found : the parameter name : SkipNV2Filter for the URI : GET : /HomePage.do|
[09:17:13:261]|[05-08-2023]|[com.adventnet.iam.security.IAMSecurityException]|[INFO]|[915]: IAMSecurityException ErrorCode: EXTRA_PARAM_FOUND, RequestURI: "/HomePage.do", RemoteAddr: "10.3.110.38", Referrer: "null", ParameterName: "SkipNV2Filter"|
[09:17:13:261]|[05-08-2023]|[com.adventnet.iam.security.SecurityFilter]|[SEVERE]|[915]: IAMSecurityException Error Code : EXTRA_PARAM_FOUND |
[09:17:13:262]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[915]:
************************** SECURITY EXCEPTION **************************
|
[09:17:13:262]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[915]: =======================================================|
[09:17:13:262]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[915]: ZOHO Security Error Message : Diese Anfrage wird nicht berücksichtigt, da bei Übergabe weiterer Parameter zum Server Anfälligkeitsprobleme auftreten können.|
[09:17:13:262]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[915]: =======================================================|
[09:17:13:262]|[05-08-2023]|[com.manageengine.mdh.MDHSettings]|[INFO]|[915]: Service desk instance ID not found in Cookie|
[09:17:13:262]|[05-08-2023]|[com.manageengine.mdh.MDHFilter]|[INFO]|[915]: PORTALID : 1|
[09:17:13:262]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[915]: SdpSecurityFilter called |
[09:17:13:262]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[915]: RequestURI::::::: /HomePage.do|
[09:17:13:262]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[915]: urlRule::::::: URLRule :: path = "/HomePage.do" actionParamName = "action" urlInRegex = "false"|
[09:17:13:262]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[915]: actionParamValue::::::: null|
[09:17:13:262]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[915]: actionRule::::::: ActionRule :: Path : "/HomePage.do" method :"GET"" isCSRFProtected : "false" internal : "false" trusted : "false" roles : "" dynamicParams : "false" api : "false" isc : "false" authentication : "required" throwAllErrors : "false" urlXSSValidation : "true" ipBlockCheck : "false" loginThrowError : "false "" iscScope : "null" runAsGroupIdParam : "null" runAsGroupTypeParam : "null "isThrottlesConfigured : "true "dynamic-throttles : "false|
[09:17:13:264]|[05-08-2023]|[com.manageengine.mdh.MDHFilter]|[INFO]|[915]: PORTALID : 1|
[09:17:13:265]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[921]: =======================================================|
[09:17:13:265]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[921]: Role 'SDAdmin' not matched for the URI : /api/v3/support_group_role_associations/_total_count|
[09:17:13:265]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[921]: =======================================================|
[09:17:13:265]|[05-08-2023]|[com.adventnet.iam.security.IAMSecurityException]|[INFO]|[921]: IAMSecurityException ErrorCode: UNAUTHORISED|
[09:17:13:265]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[915]: SdpSecurityFilter called |
[09:17:13:265]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[915]: RequestURI::::::: /Error|
[09:17:13:265]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[915]: urlRule::::::: URLRule :: path = "/Error" urlInRegex = "false"|
[09:17:13:265]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[915]: actionParamValue::::::: null|
[09:17:13:265]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[915]: actionRule::::::: ActionRule :: Path : "/Error" method :"GET"" isCSRFProtected : "false" internal : "false" trusted : "false" roles : "" dynamicParams : "false" api : "false" isc : "false" authentication : "public" throwAllErrors : "false" urlXSSValidation : "true" ipBlockCheck : "false" loginThrowError : "false "" iscScope : "null" runAsGroupIdParam : "null" runAsGroupTypeParam : "null "isThrottlesConfigured : "false "dynamic-throttles : "false|
[09:17:13:265]|[05-08-2023]|[com.adventnet.iam.security.SecurityFilter]|[SEVERE]|[921]: IAMSecurityException Error Code : UNAUTHORISED |
[09:17:13:265]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[921]:
************************** SECURITY EXCEPTION **************************
|
[09:17:13:265]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[921]: =======================================================|
[09:17:13:265]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[921]: ZOHO Security Error Message : Sie sind nicht berechtigt, diese Seite anzusehen|
[09:17:13:265]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[921]: =======================================================|
[09:17:13:265]|[05-08-2023]|[com.manageengine.mdh.MDHFilter]|[INFO]|[921]: PORTALID : 1|
[09:17:13:265]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[921]: SdpSecurityFilter called |
[09:17:13:265]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[921]: RequestURI::::::: /api/v3/support_group_role_associations/_total_count|
[09:17:13:265]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[921]: urlRule::::::: URLRule :: path = "/api/v3/support_group_role_associations/_total_count" urlInRegex = "false"|
[09:17:13:265]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[921]: actionParamValue::::::: null|
[09:17:13:265]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[921]: actionRule::::::: ActionRule :: Path : "/api/v3/support_group_role_associations/_total_count" method :"GET"" isCSRFProtected : "false" internal : "false" trusted : "false" roles : "SDAdmin,SDSiteAdmin" dynamicParams : "false" api : "true" isc : "false" authentication : "required" throwAllErrors : "false" urlXSSValidation : "true" ipBlockCheck : "false" loginThrowError : "false "" iscScope : "null" runAsGroupIdParam : "null" runAsGroupTypeParam : "null "isThrottlesConfigured : "true "dynamic-throttles : "false|
[09:17:13:270]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[921]:
************************** SECURITY EXCEPTION **************************
|
[09:17:13:270]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[921]: =======================================================|
[09:17:13:270]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[921]: ZOHO Security Error Message : Sie sind nicht berechtigt, diese Seite anzusehen|
[09:17:13:270]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[921]: =======================================================|
[09:17:13:274]|[05-08-2023]|[SYSERR]|[INFO]|[915]: java.lang.NullPointerException|
[09:17:13:274]|[05-08-2023]|[com.zoho.mickey.db.mssql.Mssql2008SQLModifier]|[WARNING]|[915]: The TOP Query used for Range is deprecated.It will be removed in future milestones.Kindly avoid using the configuration 'use_top_for_range'. |
[09:17:13:274]|[05-08-2023]|[com.zoho.mickey.db.mssql.Mssql2008SQLModifier]|[WARNING]|[915]: TOP clause is being used to form range query in MSSQL Kindly use proper column alias if the same column name from different tables are added in select query.|
[09:17:13:275]|[05-08-2023]|[com.zoho.mickey.db.mssql.Mssql2008SQLModifier]|[WARNING]|[915]: The TOP Query used for Range is deprecated.It will be removed in future milestones.Kindly avoid using the configuration 'use_top_for_range'. |
[09:17:13:275]|[05-08-2023]|[com.zoho.mickey.db.mssql.Mssql2008SQLModifier]|[WARNING]|[915]: TOP clause is being used to form range query in MSSQL Kindly use proper column alias if the same column name from different tables are added in select query.|
[09:17:13:275]|[05-08-2023]|[com.zoho.mickey.db.mssql.Mssql2008SQLModifier]|[WARNING]|[915]: The TOP Query used for Range is deprecated.It will be removed in future milestones.Kindly avoid using the configuration 'use_top_for_range'. |
[09:17:13:275]|[05-08-2023]|[com.zoho.mickey.db.mssql.Mssql2008SQLModifier]|[WARNING]|[915]: TOP clause is being used to form range query in MSSQL Kindly use proper column alias if the same column name from different tables are added in select query.|
[09:17:13:281]|[05-08-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[915]: