Vulnerability triggers when accessing the following URL: https://<server-URL>/.htpasswd

a month ago

Article Number

000073922

Applies To

RSA Product Set: SecurID

RSA Product/Service Type: Apache Agent

RSA Version/Condition: 8.0.6

Test Environment: Red Hat Linux 8.10

CVE Identifier(s)

N/A

Article Summary

When accessing the following URL: https://<server-URL>/.htpasswd, it returns the main RSA Web Agent login page. This behavior triggers a vulnerability alert in security scans.

Alert Impact

Not Exploitable

Alert Impact Explanation

The vulnerability scan incorrectly interprets the RSA Web Agent login page as exposure of sensitive files.
In reality, the access is blocked and the page remains protected.

Resolution

This alert should be ignored as a false positive, since the observed behavior is expected.

Expected Behavior:

Without Agent: Accessing https://<server-URL>/.htpasswd results in a 403 Forbidden error.
With Agent: After RSA Web Agent authentication, accessing https://<server-URL>/.htpasswd also results in a 403 Forbidden error.

Disclaimer

Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Technical Support at 1-800-995-5095. RSA Security LLC and its affiliates distribute RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall RSA, its affiliates, or suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates, or suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Don't see what you're looking for?

Related Articles

Trending Articles