Is Via G&L vulnerable to the “Strict Transport security misconfiguration”
Originally Published: 2016-08-30
Article Number
Article Summary
HTTP Strict-Transport-Security header was not found in HTTP responses.
HTTP login is already disabled at customer site.
So Is the product vulnerable to Strict-Transport-security-misconfiguration?
Issue Background:
The HTTP Strict Transport Security policy defines a timeframe where a browser
must connect to the web server via HTTPS. Without a Strict Transport Security
policy the web application may be vulnerable against several attacks:
· If the web application mixes usage of HTTP and HTTPS, an attacker can
manipulate pages in the unsecured area of the application or change
redirection targets in a manner that the switch to the secured page is not
performed or done in a manner, that the attacker remains between client and
server.
· If there is no HTTP server, an attacker in the same network could simulate a
HTTP server and motivate the user to click on a prepared URL by a scoial
engineering attack.
The protection is effective only for the given amount of time. Multiple
occurrence of this header could cause undefined behaviour in browsers and
should be avoided.
Issue Detail:
There was no "Strict-Transport-Security" header in the server response.
Occurrences:
GET https://sbela00350.be.extranet/aveksa/attachment?token=t6df834f71539de95ba5
GET https://sbela00350.be.extranet/aveksa/custom.jsp?page=home.jsp
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Connector_
Configuration_Guide/wwhdata/common/alinks.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Connector_
Configuration_Guide/wwhdata/common/context.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Connector_
Configuration_Guide/wwhdata/common/files.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Connector_
Configuration_Guide/wwhdata/common/title.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Connector_
Configuration_Guide/wwhdata/js/toc.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Guide/wwhd
ata/common/alinks.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Guide/wwhd
ata/common/context.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Guide/wwhd
ata/common/files.js
GET https://sbela00350.be.extranet/aveksa/main
… and more (global issue)
Resolution
And in either of those scenarios there are much worse things someone could do than the attack here.
However, they are adding this header to help close that small window anyway, since there's no cost to them to doing so.
It will be in upcoming releases, and may be patched back into some existing codelines at the discretion of the Customer Success team.
It will be fixed in highland park (7.0.2)
Disclaimer
Related Articles
RSA-2025-02: RSA Governance and Lifecycle Security Update for SUSE Linux Enterprise Server Vulnerabilities Number of Views RSA-2025-05: RSA Governance and Lifecycle Security Update for SUSE Linux Enterprise Server Vulnerabilities Number of Views RSA-2024-06: RSA Governance and Lifecycle Security Update for SUSE Linux Enterprise Server Vulnerabilities Number of Views RSA-2024-03: RSA Governance and Lifecycle Security Update for SUSE Linux Enterprise Server Vulnerabilities Number of Views RSA-2025-09: RSA Governance and Lifecycle Security Update for SUSE Linux Enterprise Server Vulnerabilities Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide How to manipulate imported RSA SecurID Software Token(s) on an iPhone or iPad device How to recover the Application and AFX after an unexpected database failure in RSA Identity Governance & Lifecycle RSA MFA Agent 2.4 for Microsoft Windows Installation and Administration Guide
Don't see what you're looking for?
