RSA AM 7.1: Security Vulnerability reported by IBM Rational AppScan 'Potential Order Information Found'
Originally Published: 2012-06-27
Article Number
Applies To
IBM Rational AppScan Enterprise Edition
Issue
Security scan reported instances of "Potential Order Information Found". It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations.
Cause
https://<macine_name>:7072/console-infocenter/content/help:/com.rsa.imsconsole.help/console-help/order.txt(Directory: )
https://<macine_name>:7072/console-infocenter/content/help:/com.rsa.imsopsconsole.help/console-help/styles/order.txt(Directory: )
https://<macine_name>:7072/console-infocenter/content/help:/order.txt(Directory: )
https://<macine_name>:7072/console-infocenter/content/help:/com.rsa.imsopsconsole.help/order.txt(Directory: )
https://<macine_name>:7072/console-infocenter/content/help:/com.rsa.imsconsole.help/order.txt(Directory: )
https://<macine_name>:7072/console-infocenter/content/help:/com.rsa.imsopsconsole.help/console-help/images/order.txt(Directory: )
https://<macine_name>:7072/console-infocenter/content/help:/com.rsa.imsopsconsole.help/images/order.txt(Directory: )
https://<macine_name>:7072/operations-console/order.txt(Directory: )
https://<macine_name>:7072/operations-console/order.htm(Directory: )
https://<macine_name>:7072/operations-console/order.html(Directory: )
Resolution
False Alarm:
This is a false alarm. We do not use order.txt
example:
Vulnerable URL: https://<macine_name>:7072/console-infocenter/content/help:/com.rsa.imsopsconsole.help/console-help/styles/order.txt(Directory: )
Remediation Tasks: Do not keep sensitive information in easy to guess file names, or restrict access to them
but styles has doc_styles.css and print_styles.css and doesn?t contain order.txt
Scanner inserts the above url with order.txt and looks for specific error while application filters out the parameter order.txt as it doesn't exist.
Related Articles
How to restart RSA Web Threat Detection services in the proper order Number of Views RSA Identity Governance & Lifecycle display order and value of report column changes automatically Number of Views RSA Identity Governance & Lifecycle email approval macro ValidReplyAnswers orders URL in the wrong order Number of Views SA Looking for Live Manager Thick client in order to down load packages for off external Network SA Servers Number of Views How to split a large file into smaller chunks in order to provide to RSA Customer Support Number of Views
Trending Articles
RSA Authentication Manager Upgrade Process RSA Release Notes for RSA Authentication Manager 8.8 RSA RADIUS Server service failed to start in the RSA Authentication Manager 8.1 Operations Console Microsoft Entra ID External MFA - Relying Party Configuration Using OIDC - RSA Ready Implementation Guide RSA Release Notes: Cloud Access Service and RSA Authenticators
Don't see what you're looking for?
