ag-admin vulnerabilities

Discuss all problems you have with Servoy here. It might help to mention the Servoy version and Operating System version you are using

ag-admin vulnerabilities

Postby Graham.Foss » Thu Apr 05, 2018 2:05 pm

Hi,

I support software built on Servoy.
We have a client who has tested their system by penetration testing using HP Fortify Scan.

As part of the testing they logged in to ag-admin and found two ‘Cross-Site Scripting: Reflected’ issues they class as critical.

I pointed out to them that if anyone with bad intentions who had access to ag-admin could do a lot more damage very quickly by just changing settings or deleting stuff.
They accepted this, but apparently their IT department still want a resolution.

My question is, what is Servoy’s stance on this? Is there a strategy for dealing with vulnerabilities that exist beyond the password protection on ag-admin?

Cheers

Graham
Graham.Foss
 
Posts: 2
Joined: Thu Apr 05, 2018 2:02 pm

Re: ag-admin vulnerabilities

Postby rvanderburg » Thu Apr 05, 2018 3:15 pm

Graham,

That makes no sense to me. You want to protect your house from people with a key to the front door?
Only thing I can imagine is if they say they think a username password is not a strong enough protection (you need more or more advanced locks on the door)
rvanderburg
Site Admin
 
Posts: 78
Joined: Wed May 04, 2011 10:28 am

Re: ag-admin vulnerabilities

Postby Graham.Foss » Fri Apr 06, 2018 10:15 am

Yes, I know and I said virtually the same thing to the client!

I think what has happened is that their IT department wanted to run a scan on their system for vulnerabilities. They have this tool that goes from page to page poking at text boxes and stuff to see what damage it can do.
Obviously though they can't run it on ag-admin without logging in ... so ... they log in, run the tool... and get a bunch of stuff back.

For what it's worth the, they report 'Cross-Site Scripting: Reflected' on the client-performance and database-performance pages.

I've already told them my version of the 'key in the door' analogy but they are not buying it, so I thought, all I can really do is see what Servoy thinks.

Any answer is fine by me then I can pass it down the chain and they can take it or leave it ;)
Graham.Foss
 
Posts: 2
Joined: Thu Apr 05, 2018 2:02 pm


Return to Discuss possible Issues and Bugs

Who is online

Users browsing this forum: No registered users and 6 guests