KSP violation in NetOps Performance Management
search cancel

KSP violation in NetOps Performance Management

book

Article ID: 140873

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

The web application exposes files to the client. Some of these files are not essential for the working of the application. Furthermore, these files expose details of the inner working of the application. This information can aid in exploiting other vulnerabilities.

Impact

Some technical information about the application can be obtained.

KSP violation

YES: KSP-RE-266 v1.0

Evidence

The following steps can be used to exploit this vulnerability:

1. Browse to the following URL: https://<NetOps Portal>:8443/pc/extjs/

2. The ExtJS default interface is shown. The /examples/ endpoint is not available, denying further exploitation of this component.

 

Recommendation

  • Only deploy or install services, middleware and programs which are essential to the correct working of the application. If partial installations are not possible, non-essential services and functionality should be removed or disabled.
  • Use a subdirectory of the project as the webroot, so that adding a file to the project does not automatically expose it to the internet.
  • Reflect the above in the security baseline of the host in order to prevent the same finding in future assessments. The security baseline must be applied every time a host is taken into production.
  • How this view can be disabled in ? 

 

Environment

Release : 3.7

Component : CA DATABASE COMMAND CENTER

Resolution

Renaming / deleting / moving the index.html will fix this bug. 

 

By doing this, it will not have any impact on the existing product functionality:


1.mv /opt/CA/PerformanceCenter/PC/webapps/pc/extjs/index.html /opt/CA/PerformanceCenter/PC/webapps/pc/extjs/index.bak

2.mv /opt/CA/PerformanceCenter/PC/webapps/pc/extjs/index.html /tmp

3.rm /opt/CA/PerformanceCenter/PC/webapps/pc/extjs/index.html