WebInspect scanner reported security vulnerability... - Qlik Community

Report Inappropriate Content · ‎2011-12-12

Hi,

Our Customer ran some WebInspect scanner on the QlikView servers and got back the reports ( attached). Reports say that there are some security vulnerabilities in Consona Qlikview files as follows:

HIGH : Possible Username or Password Disclosure

File Names : http://ddcwq30296:80/Analytics/Default.htm

Summary : A username or password was found during "unknown" application testing. Unknown application testing seeks to uncover new vulnerabilities in both custom and commercial software. Because of this, there are no specific patches or descriptions for this issue. Please note that this vulnerability may be a false positive if the page it is flagged on is technical documentation. Recommendations include removing the information from the production server, or otherwise restricting access.

Any suggestions on this.

Thanks,

Vijaya

Anonymous · ‎2011-12-12

Could this be what they are finding?

http://community.qlik.com/message/171829#171829

Report Inappropriate Content · ‎2011-12-13

Hi,

Can you please provide more details on this Security Vulnerability issue?

From above answer i can just make out that It´s a knowed bug in 10SR2 and 10SR3. Fixed on 10SR4

Any other suggest rather than upgrading.

Thanks,

Vijaya

Anonymous · ‎2011-12-13

Please read the entire Forum post. The link took you to the 2nd page. It should be enough to explain the issue.

Thanks,

JS

s_uhlig · ‎2011-12-14

Hi,

the scanner seems to complain about the namespace declaration

xmlns:user="uri:user"

.

Authentification is done via Negotiate NTLM.

I would say, it's just a false positive test and it has really nothing in common with the issue from thread 171829.

Regards

Sven

Report Inappropriate Content · ‎2011-12-19

vijayarawat;

I happened to have noticed your posting, and for full disclosure I have been supporting WebInspect for years.

This finding is security check# 10551. It is check is rather simplistic, simply flagging HTTP Responses as they arrive back to the scanner based on visible keywords. In this case, your attached reports show that the only offending parts of the HTTP Responses appear to be "xmlns:user="uri:user". I agree with S.Uhlig and that you can probably mark this item as a False Positive, under your conditions. If you have further concerns, our Support team is ready to answer any questions: http://support.openview.hp.com/ or +1-800-633-3600.

I noticed that this check 10551 is not enabled in the current Standard scan policy for WebInspect/AMP 9.1, so your scan policy of choice must be an older copy of the Standard, a different policy file, or simply have that particular #10551 customized and enabled in it. Your AMP admininstrators may need to update or adjust this policy for you.

If you would like to understand what keywords this check flags on, or even modify them yourself for more accurate discovery, you (or your AMP admins) will be able to do this with the Audit Inputs Editor tool. This side tool can only be found by one of the two following manners.

1. Open the Policy Manager tool > Tools menu > Audit Inputs Editor.

2. Open your scan settings (Edit menu Default Scan Settings) > open the Attack Exclusions panel > Audit Inputs Editor button.

+++++

For this check, here are the current default keywords, which you can append to or modify.

Username list:

uid

user

username

uname

usr

Password field names:

password

passwd

pass

pwd

+++++

If any HP Fortify customer has questions regarding WebInspect, AMP, or QAInspect for HPQC, we welcome you to join our free forums (requires free HP Passport account) at:

http://h30499.www3.hp.com/t5/HP-Application-Security-Center/ct-p/sws-sc01

http://h30499.www3.hp.com/t5/Application-Security-Community/ct-p/sws-AS

~~Habeas Data

WebInspect scanner reported security vulnerability in QlikView files