Is Via G&L vulnerable to the “Strict Transport security misconfiguration”
Originally Published: 2016-08-30
Article Number
Article Summary
HTTP Strict-Transport-Security header was not found in HTTP responses.
HTTP login is already disabled at customer site.
So Is the product vulnerable to Strict-Transport-security-misconfiguration?
Issue Background:
The HTTP Strict Transport Security policy defines a timeframe where a browser
must connect to the web server via HTTPS. Without a Strict Transport Security
policy the web application may be vulnerable against several attacks:
· If the web application mixes usage of HTTP and HTTPS, an attacker can
manipulate pages in the unsecured area of the application or change
redirection targets in a manner that the switch to the secured page is not
performed or done in a manner, that the attacker remains between client and
server.
· If there is no HTTP server, an attacker in the same network could simulate a
HTTP server and motivate the user to click on a prepared URL by a scoial
engineering attack.
The protection is effective only for the given amount of time. Multiple
occurrence of this header could cause undefined behaviour in browsers and
should be avoided.
Issue Detail:
There was no "Strict-Transport-Security" header in the server response.
Occurrences:
GET https://sbela00350.be.extranet/aveksa/attachment?token=t6df834f71539de95ba5
GET https://sbela00350.be.extranet/aveksa/custom.jsp?page=home.jsp
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Connector_
Configuration_Guide/wwhdata/common/alinks.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Connector_
Configuration_Guide/wwhdata/common/context.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Connector_
Configuration_Guide/wwhdata/common/files.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Connector_
Configuration_Guide/wwhdata/common/title.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Connector_
Configuration_Guide/wwhdata/js/toc.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Guide/wwhd
ata/common/alinks.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Guide/wwhd
ata/common/context.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Guide/wwhd
ata/common/files.js
GET https://sbela00350.be.extranet/aveksa/main
… and more (global issue)
Resolution
And in either of those scenarios there are much worse things someone could do than the attack here.
However, they are adding this header to help close that small window anyway, since there's no cost to them to doing so.
It will be in upcoming releases, and may be patched back into some existing codelines at the discretion of the Customer Success team.
It will be fixed in highland park (7.0.2)
Disclaimer
Related Articles
Is Via G&L vulnerable to “Authorization Bypass”? Number of Views RSA Identity G&L 7.1.0 installation intermittently fails on SLES 12 where 'Hardware Lock Elision' functionality of the CPU… Number of Views How to collect RAID logs using Intel RAID CmdTool2 for the RSA SecurID A250 Intel-based Hardware Appliances S2600GZ/GL Number of Views RSA Identity Governance & Lifecycle- A deleted role is still visible in the application UI and stuck in the Applied Delete… Number of Views Error 'Invalid X.509 certificate uploaded' when adding a new application Number of Views
Trending Articles
RSA Authentication Manager 8.9 Release Notes (January 2026) RSA announces the availability of the RSA SecurID Hardware Appliance 230 based on the Dell PowerEdge R240 Server How to troubleshoot Oracle database ORA-04030 errors in RSA Identity Governance & Lifecycle RSA Authentication Manager Upgrade Process Microsoft SQL Server Collectors can no longer connect to the SQL Server database after upgrade to Microsoft SQL Server 201…
Don't see what you're looking for?
