Vulnerabilities in CA Service Desk Manager

ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Vulnerabilities in CA Service Desk Manager - Security Headers missing

book

Article ID: 211140

calendar_today

Updated On:

Products

CA Service Management - Service Desk Manager

Issue/Introduction

Vulnerability List: -

Target Portal	Ownership	Reporting Category	Affected URL	Criticality	POC present (Yes/No)	Status
SAIL Portal	MSP	HTTP Request method validation	https://10.5.16.178	High	Yes	Open
SAIL Portal	MSP	Missing Security Headers	https://10.5.16.178	Medium	Yes	Open
SAIL Portal	MSP	Missing Custom error pages	https://10.5.16.178	Medium	Yes	Open

Cause

Bug - Vulnerability

Environment

Release : 17.1

Component : SERVICE DESK MANAGER

Resolution

Defect has been raise with engineering i.e. DE59044

Tfix created i.e. T5UG458 with its readme file to the defect. Please apply the Tfix and follow readme file for the post installation steps.

1) HTTP Request method validation:

- Open the portal in Firefox,
- Edit and resend the login request using
developer tools
- Change the request method to GET and paste the
login parameters after the URL using "?"
- Submit the request. The submitted request will
have a 200 response.
- Open the submitted request in a new tab and the
portal will be logged in.

2) Missing Security Headers

- Open the network tab in firefox developer tools
and check the response headers for the submitted
request.
- CSP headers are missing in the response.

3) Missing custom error pages

- Intercept the request using Burp Suite and
change the HTTP method to ABCD.
- Check the response.

Please open a case with support to get the Tfix if not already available in the latest patch levels beyond RU11.

Feedback

thumb_up Yes

thumb_down No