000014195 - RSA AM 7.1: Security Vulnerability reported by IBM Rational AppScan 'Encryption not Enforced'

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014195
Applies ToRSA Authentication Manager 7.1 SP4
IBM Rational AppScan Enterprise Edition
IssueAddress possible security vulnerability reported by IBM Rational AppScan security scan concerning "Direct Access to Administration"
Security scan reported instances where administration pages could be visible.
An attacker may be able to access these pages by guessing their name, e.g. admin.php, admin.asp, admin.cgi, admin.html, etc.

CauseThe following URL's were identified as a problem by the scan:
https://<machine_name>:7072/operations-console/admin.dat(Directory: )
https://<machine_name>:7072/operations-console/admin.data(Directory: ))
https://<machine_name>:7072/operations-console/admin/admin.asp(Directory: )
https://<machine_name>:7072/operations-console/admin/admin.aspx(Directory: )
https://<machine_name>:7072/operations-console/admin/admin.php(Directory: )
https://<machine_name>:7072/operations-console/admin.cgi(Directory: )
https://<machine_name>:7072/operations-console/admin.aspx(Directory: )
https://<machine_name>:7072/operations-console/admin.udl(Directory: )
https://<machine_name>:7072/operations-console/admin.shtml(Directory: )
Resolution

False Alarm:

 

User is not able to access any of the pages/scripts without authentication and authorization. The application always displays the logon page. None of the above scripts are used by the application, Application will throw following error if user is already authenticated.

?Sorry, but the page you requested cannot be found.?


Legacy Article IDa59000

Attachments

    Outcomes