My Oracle Support Banner

403 Forbidden Error When Attempting To Save A BML function Or Util Function (Doc ID 2893601.1)

Last updated on JANUARY 30, 2023

Applies to:

Oracle BigMachines CPQ Cloud Service - Version 22 B and later
Information in this document applies to any platform.


When attempting to save a BML function or a util function, either a 403 forbidden error will appear on the page or the util function will endlessly process the save.  In the modsec_debug_ohs.log an error message will be shown as identified below:

[localhost/sid#e9fe88][rid#7f89f4027cd0][/admin/configuration/rules/edit_config_editor.jsp][1] Access denied with code 403 (phase 2). Pattern match "\\< ?script\\b" at ARGS:config_xml. [file "/bigmac/Oracle/Middleware/latest/user_projects/domains/bm_flmcdev_node1/config/fmwconfig/components/OHS/instances/cpqOHS/modsecurity/modsecurity_crs_41_xss_attacks.conf"] [line "191"] [id "958051"] [rev "2"]

[msg "Cross-site Scripting (XSS) Attack"] [data "Matched Data: <script found within ARGS:config_xml: <?xml version=\x221.0\x22 encoding=\x22utf-8\x22?><configuration> <user_info> <session_id>null</session_id> <user_id>null</user_id> <user_organization>null</user_organization> </user_info> <configureresponse> <item> <segment>xxx</segment> <product_line>xxxx</product_line> <model>xxxx</model> </item> <price_book> <variable_name>_default_price_book</variable_name> <partner_price_book_id/> </price_book> <attributes> <attribute _variablename=\x2..."]

[severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [t





To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.