Skip to main content
Announcements
Defect acknowledgement with Nprinting Engine May 2022 SR2, please READ HERE
cancel
Showing results for 
Search instead for 
Did you mean: 
yonggangsong
Contributor II
Contributor II

Qlik NPrinting May 2021 vulnerabilities

Dear,

we found below 4 vulnerabilities in NPrinting May 2021 version(not sure these issues are fixed in new version) and hope you can let us know how to fix it, thanks in advance.

1, our nprinting web console is enabled https access, but when we access to web console by http, we will see: Client sent an HTTP request to an HTTPS server. Is it possible redirect http request to https automatically or disable http request completely?
2, how to add httponly attribute for cookie NPWEBCONSOLE_XSRF-TOKEN?
3, how to change below relative path CSS links to fixed path?
<link rel="stylesheet" href="static/styles/vendor-3f4e154229.css">
<link rel="stylesheet" href="static/styles/webconsole-946a29a3c2.css">
4, when user access to https://nprinting-server.domain.local:4993/npe/apps%3cscript%3e_q_q=%27%29%28%27
%3c/script%3e, Qlik Nprinting service haven't review potentially dangerous characters, this may cause HTML injection attacks. Is is possible to encoding to dangerous characters?

Labels (2)
1 Solution

Accepted Solutions
Ruggero_Piccoli
Support
Support

Hi,

About point no. 2 the answer is no because the JavaScript need to be able to read it. Some details can be read in the article https://security.stackexchange.com/questions/175536/does-a-csrf-cookie-need-to-be-httponly

About the others I suggest you to open a support ticket. 

Best Regards,

Ruggero



Best Regards,
Ruggero
---------------------------------------------
When applicable please mark the appropriate replies as CORRECT. This will help community members and Qlik Employees know which discussions have already been addressed and have a possible known solution. Please mark threads with a LIKE if the provided solution is helpful to the problem, but does not necessarily solve the indicated problem. You can mark multiple threads with LIKEs if you feel additional info is useful to others.

View solution in original post

2 Replies
Maria_Halley
Support
Support

 

@yonggangsong

 

Since this question has to do with Nprinting I will move your post to the Nprinting boards.

Ruggero_Piccoli
Support
Support

Hi,

About point no. 2 the answer is no because the JavaScript need to be able to read it. Some details can be read in the article https://security.stackexchange.com/questions/175536/does-a-csrf-cookie-need-to-be-httponly

About the others I suggest you to open a support ticket. 

Best Regards,

Ruggero



Best Regards,
Ruggero
---------------------------------------------
When applicable please mark the appropriate replies as CORRECT. This will help community members and Qlik Employees know which discussions have already been addressed and have a possible known solution. Please mark threads with a LIKE if the provided solution is helpful to the problem, but does not necessarily solve the indicated problem. You can mark multiple threads with LIKEs if you feel additional info is useful to others.