Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Dear,
we found below 4 vulnerabilities in NPrinting May 2021 version(not sure these issues are fixed in new version) and hope you can let us know how to fix it, thanks in advance.
1, our nprinting web console is enabled https access, but when we access to web console by http, we will see: Client sent an HTTP request to an HTTPS server. Is it possible redirect http request to https automatically or disable http request completely?
2, how to add httponly attribute for cookie NPWEBCONSOLE_XSRF-TOKEN?
3, how to change below relative path CSS links to fixed path?
<link rel="stylesheet" href="static/styles/vendor-3f4e154229.css">
<link rel="stylesheet" href="static/styles/webconsole-946a29a3c2.css">
4, when user access to https://nprinting-server.domain.local:4993/npe/apps%3cscript%3e_q_q=%27%29%28%27
%3c/script%3e, Qlik Nprinting service haven't review potentially dangerous characters, this may cause HTML injection attacks. Is is possible to encoding to dangerous characters?
Hi,
About point no. 2 the answer is no because the JavaScript need to be able to read it. Some details can be read in the article https://security.stackexchange.com/questions/175536/does-a-csrf-cookie-need-to-be-httponly.
About the others I suggest you to open a support ticket.
Best Regards,
Ruggero
Since this question has to do with Nprinting I will move your post to the Nprinting boards.
Hi,
About point no. 2 the answer is no because the JavaScript need to be able to read it. Some details can be read in the article https://security.stackexchange.com/questions/175536/does-a-csrf-cookie-need-to-be-httponly.
About the others I suggest you to open a support ticket.
Best Regards,
Ruggero