RSA AM 7.1: Security Vulnerability reported by IBM Rational AppScan 'Potential Order Information Found'
Originally Published: 2012-06-27
Article Number
Applies To
IBM Rational AppScan Enterprise Edition
Issue
Security scan reported instances of "Potential Order Information Found". It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations.
Cause
https://<macine_name>:7072/console-infocenter/content/help:/com.rsa.imsconsole.help/console-help/order.txt(Directory: )
https://<macine_name>:7072/console-infocenter/content/help:/com.rsa.imsopsconsole.help/console-help/styles/order.txt(Directory: )
https://<macine_name>:7072/console-infocenter/content/help:/order.txt(Directory: )
https://<macine_name>:7072/console-infocenter/content/help:/com.rsa.imsopsconsole.help/order.txt(Directory: )
https://<macine_name>:7072/console-infocenter/content/help:/com.rsa.imsconsole.help/order.txt(Directory: )
https://<macine_name>:7072/console-infocenter/content/help:/com.rsa.imsopsconsole.help/console-help/images/order.txt(Directory: )
https://<macine_name>:7072/console-infocenter/content/help:/com.rsa.imsopsconsole.help/images/order.txt(Directory: )
https://<macine_name>:7072/operations-console/order.txt(Directory: )
https://<macine_name>:7072/operations-console/order.htm(Directory: )
https://<macine_name>:7072/operations-console/order.html(Directory: )
Resolution
False Alarm:
This is a false alarm. We do not use order.txt
example:
Vulnerable URL: https://<macine_name>:7072/console-infocenter/content/help:/com.rsa.imsopsconsole.help/console-help/styles/order.txt(Directory: )
Remediation Tasks: Do not keep sensitive information in easy to guess file names, or restrict access to them
but styles has doc_styles.css and print_styles.css and doesn?t contain order.txt
Scanner inserts the above url with order.txt and looks for specific error while application filters out the parameter order.txt as it doesn't exist.
Related Articles
How to restart RSA Web Threat Detection services in the proper order Number of Views RSA Identity Governance & Lifecycle display order and value of report column changes automatically Number of Views RSA Identity Governance & Lifecycle email approval macro ValidReplyAnswers orders URL in the wrong order Number of Views Services start order for RSA Silvertail. Number of Views SA Looking for Live Manager Thick client in order to down load packages for off external Network SA Servers Number of Views
Trending Articles
Downloading RSA Authentication Manager license files or RSA Software token seed records RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory Mandatory Certificate Upgrade Required by 6th October 2025 for RSA MFA Agent for PAM, RSA MFA Agent for Apache, and Third … RSA Authentication Manager 8.9 Release Notes (January 2026)
Don't see what you're looking for?
