|Applies To||RSA Product Set: Identity Governance & Lifecycle|
RSA Product/Service Type: Enterprise Software
RSA Version/Condition: 7.0.1, 7.0.2, 7.1.x
|Issue||The Access Request Manager (ARM) provides a mechanism to upload and download attachments related to a specific access request. It allows for the executable file to be uploaded and attached to the request. However, this process does not check uploaded files for viruses. Therefore, context was able to upload and subsequently download a benign virus test file (EICAR) through the system, using this upload feature. |
|Resolution||There are steps to restrict the file types that can be attached to a request ( .doc, .png, and so on).|
Invalid extension for upload.
8. Click Choose File to select a file that has an extension that matches the one(s) defined in step 3.
9. Click Upload Attachment. The file with the valid file extension is accepted.