Is Via G&L vulnerable to the “Strict Transport security misconfiguration”
Originally Published: 2016-08-30
Article Number
Article Summary
HTTP Strict-Transport-Security header was not found in HTTP responses.
HTTP login is already disabled at customer site.
So Is the product vulnerable to Strict-Transport-security-misconfiguration?
Issue Background:
The HTTP Strict Transport Security policy defines a timeframe where a browser
must connect to the web server via HTTPS. Without a Strict Transport Security
policy the web application may be vulnerable against several attacks:
· If the web application mixes usage of HTTP and HTTPS, an attacker can
manipulate pages in the unsecured area of the application or change
redirection targets in a manner that the switch to the secured page is not
performed or done in a manner, that the attacker remains between client and
server.
· If there is no HTTP server, an attacker in the same network could simulate a
HTTP server and motivate the user to click on a prepared URL by a scoial
engineering attack.
The protection is effective only for the given amount of time. Multiple
occurrence of this header could cause undefined behaviour in browsers and
should be avoided.
Issue Detail:
There was no "Strict-Transport-Security" header in the server response.
Occurrences:
GET https://sbela00350.be.extranet/aveksa/attachment?token=t6df834f71539de95ba5
GET https://sbela00350.be.extranet/aveksa/custom.jsp?page=home.jsp
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Connector_
Configuration_Guide/wwhdata/common/alinks.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Connector_
Configuration_Guide/wwhdata/common/context.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Connector_
Configuration_Guide/wwhdata/common/files.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Connector_
Configuration_Guide/wwhdata/common/title.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Connector_
Configuration_Guide/wwhdata/js/toc.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Guide/wwhd
ata/common/alinks.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Guide/wwhd
ata/common/context.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Guide/wwhd
ata/common/files.js
GET https://sbela00350.be.extranet/aveksa/main
… and more (global issue)
Resolution
And in either of those scenarios there are much worse things someone could do than the attack here.
However, they are adding this header to help close that small window anyway, since there's no cost to them to doing so.
It will be in upcoming releases, and may be patched back into some existing codelines at the discretion of the Customer Success team.
It will be fixed in highland park (7.0.2)
Disclaimer
Related Articles
Is Via G&L vulnerable to “Authorization Bypass”? Number of Views RSA Identity G&L 7.1.0 installation intermittently fails on SLES 12 where 'Hardware Lock Elision' functionality of the CPU… Number of Views How to collect RAID logs using Intel RAID CmdTool2 for the RSA SecurID A250 Intel-based Hardware Appliances S2600GZ/GL Number of Views AFX Server installs on Windows in a non-functional state due to JAVA_HOME in RSA Governance & Lifecycle Number of Views False Positive - RSA Authentication Manager 8.1 SP1 P10 vulnerable to CVE 2016-0728, CVE-2015-8787 and CVE-2015-8709 (Open… Number of Views
Trending Articles
RSA Release Notes for RSA Authentication Manager 8.8 Downloading RSA Authentication Manager license files or RSA Software token seed records AFX Server remains in a 'Not running' State, afx status shows 'timed out waiting for AFX applications to start' and mule_e… RSA Authentication Manager 8.7 SP1 Patch 1 Hotfix 1 RSA Authentication Manager 8.8 Security Configuration Guide
Don't see what you're looking for?
