https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-server-manager-security-issue/m-p/143484#M5619 <HTML><HEAD></HEAD><BODY><SPAN>I see very easily exploited security issue with the ArcGIS 10+ Server Manager login.</SPAN><BR /><SPAN>Instead of redirecting to secured login page, a modal container is displayed on top of the page.</SPAN><BR /><SPAN>Very poor security design. </SPAN><BR /><BR /><SPAN>You can easily delete the LoginFormBackdrop in Chrome and circumvent the login. </SPAN><BR /><SPAN>Hacker's paradise.</SPAN><BR /><BR /><SPAN>[ATTACH=CONFIG]34767[/ATTACH]</SPAN><BR /><BR /><SPAN>To be secure, DO NOT&nbsp; Enable administrative access to your site through the Web Adaptor.</SPAN><BR /><SPAN>I don't know how ESRI let that go for so long without a fix.</SPAN><BR /><BR /><SPAN>[ATTACH=CONFIG]34768[/ATTACH]</SPAN></BODY></HTML> Fri, 20 Jun 2014 13:33:50 GMT DimitarKolev 2014-06-20T13:33:50Z https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-server-manager-security-issue/m-p/143484#M5619 <HTML><HEAD></HEAD><BODY><SPAN>I see very easily exploited security issue with the ArcGIS 10+ Server Manager login.</SPAN><BR /><SPAN>Instead of redirecting to secured login page, a modal container is displayed on top of the page.</SPAN><BR /><SPAN>Very poor security design. </SPAN><BR /><BR /><SPAN>You can easily delete the LoginFormBackdrop in Chrome and circumvent the login. </SPAN><BR /><SPAN>Hacker's paradise.</SPAN><BR /><BR /><SPAN>[ATTACH=CONFIG]34767[/ATTACH]</SPAN><BR /><BR /><SPAN>To be secure, DO NOT&nbsp; Enable administrative access to your site through the Web Adaptor.</SPAN><BR /><SPAN>I don't know how ESRI let that go for so long without a fix.</SPAN><BR /><BR /><SPAN>[ATTACH=CONFIG]34768[/ATTACH]</SPAN></BODY></HTML> Fri, 20 Jun 2014 13:33:50 GMT https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-server-manager-security-issue/m-p/143484#M5619 DimitarKolev 2014-06-20T13:33:50Z https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-server-manager-security-issue/m-p/143485#M5620 <HTML><HEAD></HEAD><BODY><SPAN>Yes, that is why we do not use Web Adaptor.</SPAN><BR /><BR /><A href="http://forums.arcgis.com/threads/106739-Web-Adaptor-with-Admin-rights?highlight=token">http://forums.arcgis.com/threads/106739-Web-Adaptor-with-Admin-rights?highlight=token</A><BR /><BR /><A href="http://resources.arcgis.com/en/help/main/10.1/index.html#/Configuring_the_Web_Adaptor_after_installation/01540000041q000000/">http://resources.arcgis.com/en/help/main/10.1/index.html#/Configuring_the_Web_Adaptor_after_installation/01540000041q000000/</A><BR /><BR /><A href="http://resources.arcgis.com/en/help/main/10.2/index.html#/Configuring_the_Web_Adaptor_after_installation/01540000041q000000/">http://resources.arcgis.com/en/help/main/10.2/index.html#/Configuring_the_Web_Adaptor_after_installation/01540000041q000000/</A><BR /><BR /><BLOCKQUOTE class="jive-quote">I see very easily exploited security issue with the ArcGIS 10+ Server Manager login.<BR />Instead of redirecting to secured login page, a modal container is displayed on top of the page.<BR />Very poor security design. <BR /><BR />You can easily delete the LoginFormBackdrop in Chrome and circumvent the login. <BR />Hacker's paradise.<BR /><BR />[ATTACH=CONFIG]34767[/ATTACH]<BR /><BR />To be secure, DO NOT&nbsp; Enable administrative access to your site through the Web Adaptor.<BR />I don't know how ESRI let that go for so long without a fix.<BR /><BR />[ATTACH=CONFIG]34768[/ATTACH]</BLOCKQUOTE></BODY></HTML> Wed, 02 Jul 2014 07:41:11 GMT https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-server-manager-security-issue/m-p/143485#M5620 chandesrisbasile1 2014-07-02T07:41:11Z