Do not input private or sensitive data. View Qlik Privacy & Cookie Policy.
Skip to main content

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik and ServiceNow Partner to Bring Trusted Enterprise Context into AI-Powered Workflows. Learn More!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
J1
Partner - Contributor
Partner - Contributor
‎2023-12-27 08:21 AM

Qlik Sense Management Console - IT Health Check - Information Disclosure Through Web Content

Hi!

When browsing the QMC, the following HTTP requests were highlighted as low risk observations by the IT health check team we contracted:

Testing identified web content which could be accessed by authenticated users, which disclosed potentially sensitive information regarding the technology stack in use, this information could aid an attacker throughout the  information gathering phase of their attack.

  1. /qrs/SQLDatabase/version?xrfkey=<Redacted>
    1. This responds with the PostgreSQL version number.
  2. /resources/autogenerated/product-info.js??<Redacted>
    1. It can be observed that the server exposed details about the installed packages and their respective version.
  3. /qrs/About?xrfkey=<Redacted>
    1. It can be observed that the application was exposing details about the type of database in use and the database build version.

I was wondering if this can be mitigated somehow or if this is to be treated as just part of the QMC functionality and left as is.

Labels (2)
Labels
446 Views
0 Likes
0 Replies