How to fix “Credentials over an insecure channel” issue?

Questions and answers on designing your Servoy solutions, database modelling and other 'how do I do this' that don't fit in any of the other categories

How to fix “Credentials over an insecure channel” issue?

Postby pbdavis » Thu Dec 20, 2018 10:03 pm

Our customer is reporting that the our Servory application has a security vulnerability identified by the RAPID7 scan. It is of level Medium and we must remediate. Not sure I completely understand the issue nor how to remedy it even if I did.

The scan identifies an html file https://xyz/servoy-webclient/templates/ ... sword.html. Does Servoy generate html files? Where are these found? I cannot find any html files in the application_server folder. Not sure how to relate scanned html files to Servoy forms?

At the login page there are 2 buttons. One to login another to change password. If you enter the correct username and password you can click the change password button to take you to another page to enter a new password. This is the page/form I think the issue is on.

From the html file name fx_changePassword.html, I assume it is related to the form used to allow the user to change his/her password. The code and form that is used to change one’s password is very similar to the code and form used to log in. So, I can’t understand why the login would be okay and the change password not.

Any help and insight into this issue would be greatly appreciated.

Here is some information taken out of the scan report:
Credentials over an insecure channel (1)
References:
CWE-598 CWE-523 DISSA_ASC-APP3330 OWASP2013-A6 OWASP2010-A9 OWASP2007-A9

Attack Type: Credentials sent with GET method
Error: <form id='servoy_dataform'>
Error Description: The form action points to an HTTP site
Paul Davis
Belcan Engineering Group, LLC
pbdavis
 
Posts: 60
Joined: Thu Nov 30, 2017 5:40 pm
Location: Florida, USA

Re: How to fix “Credentials over an insecure channel” issue?

Postby rgansevles » Fri Dec 21, 2018 12:01 pm

What version of Servoy do you use?

This should be fixed in Servoy 8.

Rob
Rob Gansevles
Servoy
User avatar
rgansevles
 
Posts: 1927
Joined: Wed Nov 15, 2006 6:17 pm
Location: Amersfoort, NL

Re: How to fix “Credentials over an insecure channel” issue?

Postby pbdavis » Fri Dec 21, 2018 3:08 pm

Production is at Servoy 3.5.12. We are currently working on a move to version 8. Can you explain where these html files come from? The scanner shows 100s of html files being scanned for our Servoy application.
Thanks Rob.
Paul Davis
Belcan Engineering Group, LLC
pbdavis
 
Posts: 60
Joined: Thu Nov 30, 2017 5:40 pm
Location: Florida, USA

Re: How to fix “Credentials over an insecure channel” issue?

Postby rgansevles » Thu Dec 27, 2018 10:41 pm

Wow, that is a really old version.

The files were part of the form templating used then, the files should not be accessed directly and that has been modified many versions ago.

Rob
Rob Gansevles
Servoy
User avatar
rgansevles
 
Posts: 1927
Joined: Wed Nov 15, 2006 6:17 pm
Location: Amersfoort, NL


Return to Programming with Servoy

Who is online

Users browsing this forum: bjorne.raga and 7 guests

cron