Vulnerabilities in CA Service Desk Manager - Security Headers missing

book

Article ID: 211140

calendar_today

Updated On:

Products

CA Service Management - Service Desk Manager

Issue/Introduction

Vulnerability List: -

Target Portal

Ownership

Reporting Category

Affected URL

Criticality

POC present (Yes/No)

Status

SAIL Portal

MSP

HTTP Request method validation

https://10.5.16.178

High

Yes

Open

SAIL Portal

MSP

Missing Security Headers

https://10.5.16.178

Medium

Yes

Open

SAIL Portal

MSP

Missing Custom error pages

https://10.5.16.178

Medium

Yes

Open

 

Cause

Bug - Vulnerability

Environment

Release : 17.1

Component : SERVICE DESK MANAGER

Resolution

Defect has been raise with engineering i.e. DE59044


Tfix created i.e. T5UG458 with its readme file to the defect. Please apply the Tfix and follow readme file for the post installation steps.

1) HTTP Request method validation:
                 
                 - Open the portal in Firefox,
                 - Edit and resend the login request using
                 developer tools
                 - Change the request method to GET and paste the
                 login parameters after the URL using "?" 
                 - Submit the request. The submitted request will
                 have a 200 response.
                 - Open the submitted request in a new tab and the
                 portal will be logged in.
                 
                 2) Missing Security Headers
                 
                 - Open the network tab in firefox developer tools
                 and check the response headers for the submitted
                 request.
                 - CSP headers are missing in the response.
                 
                 3) Missing custom error pages
                 
                 - Intercept the request  using Burp Suite and
                 change the HTTP method to ABCD. 
                 - Check the response.

Please open a case with support to get the Tfix if not already available in the latest patch levels beyond RU11.