Page 1 of 1

ag-admin vulnerabilities

PostPosted: Thu Apr 05, 2018 2:05 pm
by Graham.Foss
Hi,

I support software built on Servoy.
We have a client who has tested their system by penetration testing using HP Fortify Scan.

As part of the testing they logged in to ag-admin and found two ‘Cross-Site Scripting: Reflected’ issues they class as critical.

I pointed out to them that if anyone with bad intentions who had access to ag-admin could do a lot more damage very quickly by just changing settings or deleting stuff.
They accepted this, but apparently their IT department still want a resolution.

My question is, what is Servoy’s stance on this? Is there a strategy for dealing with vulnerabilities that exist beyond the password protection on ag-admin?

Cheers

Graham

Re: ag-admin vulnerabilities

PostPosted: Thu Apr 05, 2018 3:15 pm
by rvanderburg
Graham,

That makes no sense to me. You want to protect your house from people with a key to the front door?
Only thing I can imagine is if they say they think a username password is not a strong enough protection (you need more or more advanced locks on the door)

Re: ag-admin vulnerabilities

PostPosted: Fri Apr 06, 2018 10:15 am
by Graham.Foss
Yes, I know and I said virtually the same thing to the client!

I think what has happened is that their IT department wanted to run a scan on their system for vulnerabilities. They have this tool that goes from page to page poking at text boxes and stuff to see what damage it can do.
Obviously though they can't run it on ag-admin without logging in ... so ... they log in, run the tool... and get a bunch of stuff back.

For what it's worth the, they report 'Cross-Site Scripting: Reflected' on the client-performance and database-performance pages.

I've already told them my version of the 'key in the door' analogy but they are not buying it, so I thought, all I can really do is see what Servoy thinks.

Any answer is fine by me then I can pass it down the chain and they can take it or leave it ;)