topic Qlik Sense Management Console - IT Health Check - Information Disclosure Through Web Content in Management & Governance https://community.qlik.com/t5/Management-Governance/Qlik-Sense-Management-Console-IT-Health-Check-Information/m-p/2156416#M29924 <P>Hi!</P> <P>When browsing the QMC, the following HTTP requests were highlighted as low risk observations by the IT health check team we contracted:</P> <P><EM>Testing identified web content which could be accessed by authenticated users, which disclosed potentially sensitive&nbsp;</EM><EM>information regarding the technology stack in use, this information could aid an attacker throughout the&nbsp; information&nbsp;</EM><EM>gathering phase of their attack.</EM></P> <OL> <LI>/qrs/SQLDatabase/version?xrfkey=&lt;Redacted&gt; <OL> <LI>This responds with the PostgreSQL version number.</LI> </OL> </LI> <LI>/resources/autogenerated/product-info.js??&lt;Redacted&gt; <OL> <LI>It can be observed that the server exposed details about the installed packages and their respective version.</LI> </OL> </LI> <LI>/qrs/About?xrfkey=&lt;Redacted&gt; <OL> <LI>It can be observed that the application was exposing details about the type of database in use and the database build version.</LI> </OL> </LI> </OL> <P>I was wondering if this can be mitigated somehow or if this is to be treated as just part of the QMC functionality and left as is.</P> Wed, 27 Dec 2023 15:33:00 GMT J1 2023-12-27T15:33:00Z Qlik Sense Management Console - IT Health Check - Information Disclosure Through Web Content https://community.qlik.com/t5/Management-Governance/Qlik-Sense-Management-Console-IT-Health-Check-Information/m-p/2156416#M29924 <P>Hi!</P> <P>When browsing the QMC, the following HTTP requests were highlighted as low risk observations by the IT health check team we contracted:</P> <P><EM>Testing identified web content which could be accessed by authenticated users, which disclosed potentially sensitive&nbsp;</EM><EM>information regarding the technology stack in use, this information could aid an attacker throughout the&nbsp; information&nbsp;</EM><EM>gathering phase of their attack.</EM></P> <OL> <LI>/qrs/SQLDatabase/version?xrfkey=&lt;Redacted&gt; <OL> <LI>This responds with the PostgreSQL version number.</LI> </OL> </LI> <LI>/resources/autogenerated/product-info.js??&lt;Redacted&gt; <OL> <LI>It can be observed that the server exposed details about the installed packages and their respective version.</LI> </OL> </LI> <LI>/qrs/About?xrfkey=&lt;Redacted&gt; <OL> <LI>It can be observed that the application was exposing details about the type of database in use and the database build version.</LI> </OL> </LI> </OL> <P>I was wondering if this can be mitigated somehow or if this is to be treated as just part of the QMC functionality and left as is.</P> Wed, 27 Dec 2023 15:33:00 GMT https://community.qlik.com/t5/Management-Governance/Qlik-Sense-Management-Console-IT-Health-Check-Information/m-p/2156416#M29924 J1 2023-12-27T15:33:00Z