Vulnerability for /docs and /examples on CA Access Gateway (SPS)
search cancel

Vulnerability for /docs and /examples on CA Access Gateway (SPS)

book

Article ID: 246515

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

 

When running a CA Access Gateway (SPS), the vulnerability about for /docs and /examples resource has been found (1).

 

Resolution

 

At first glance, out of the box, CA Access Gateway (SPS) runs an embedded Tomcat. This embedded Tomcat CA Access Gateway (SPS) doesn't have this issue.

Out of the box CA Access Gateway (SPS) doesn't listen on port 8888. But even trying to reach the undesirable resources on Tomcat on port 8080, the Tomcat server reports that those resources don't exist (404) already.

  http://sps.training.com:8080/docs/ 404

  http://sps.training.com:8080/examples/servlets/index.html 404

  http://sps.training.com:8888/examples/jsp/index 404

In the CA Access Gateway (SPS) Tomcat configuration, there's no application called "doc" or "examples":

  /opt/CA/secure-proxy/Tomcat/webapps:
  drwxrwxr-x  6 nobody root      109 2021-01-28  affwebservices
  drwxrwxr-x  4 nobody root       37 2021-01-19  CA_AuthAZ
  drwxrwxr-x  7 nobody root       98 2021-01-19  castylesr5.1.3
  -rwxrwxr-x  1 nobody root   383150 03-06 22:08 castylesr5.1.3.war
  drwxrwxr-x  7 nobody root       74 2021-01-19  chs
  drwxrwxr-x 18 nobody root     4096 06-14 11:44 proxyui
  drwxrwxr-x  3 nobody root      223 2021-01-19  ROOT
  drwxrwxr-x  5 nobody root      102 06-14 11:44 sessionassuranceapp
  drwxr-xr-x  4 nobody nobody    334 2021-01-19  sts-sps

Additional Information

 

(1)

    Apache Tomcat Default Files
    

Powered by Wolken Software