Article Number
000036944
Applies To
RSA Product Set: Identity Governance & Lifecycle
RSA Product/Service Type: Enterprise Software
RSA Version/Condition: 7.0.1, 7.0.2, 7.1.x
Issue
The Access Request Manager (ARM) provides a mechanism to upload and download attachments related to a specific access request. It allows for the executable file to be uploaded and attached to the request. However, this process does not check uploaded files for viruses. Therefore,
context was able to upload and subsequently download a benign virus test file (EICAR) through the system, using this upload feature.
Image description
Resolution
There are steps to restrict the file types that can be attached to a request ( .doc, .png, and so on).
- Go to Requests > Configuration.
Image description
- Click Edit.
- Enter the valid file extensions into the text box labeled Valid extensions for request: attachments (comma separated).
Image description
- Click OK to save.
Image description
- To test this configuration change. create a Change Request then select the Change Request.
- Click Choose File to select an .exe file.
Image description
- Click Upload Attachment and the following message should display:
Invalid extension for upload.
Image description
8. Click
Choose File to select a file that has an extension that matches the one(s) defined in step 3.
Image description
9. Click
Upload Attachment. The file with the valid file extension is accepted.
Image description