ArcGIS Server 10.2 - lots of app scan security warnings - false positives?

981
3
02-17-2021 12:07 PM
JasonFitzsimmons
Occasional Contributor

Hello,

I posted a question about a severe warning from an app scan related to map services used in our web app, which turned out to be false positives (according to Esri support).  
The same security scan produced several low level warnings about the same map services, which I am now wondering if they are false positives as well? Has anyone every come across these warnings related specifically to read-only map services published on (stand alone) ArcGIs Server? (ps we do not use Web Adapter). We use IIS on a Windows Server. We are in process of migrating these aps (I know this version is old!)

Body Parameters Accepted in Query
Severity: Low
CVSS Score: 5.0
URL: https://name:6443/arcgis/rest/services/servicename/MapServer/export
Entity: export (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Do not accept body parameters that are sent in the query string
Reasoning: The test result seems to indicate a vulnerability because the Test Response is similar to
the Original Response, indicating that the application processed body parameters that were
submitted in the query

 

Cacheable SSL Page Found
Severity: Low
CVSS Score: 5.0
URL: https://name:6443/arcgis/rest/services/servicename/MapServer
Entity: MapServer (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
Causes: Sensitive information might have been cached by your browser
Fix: Prevent caching of SSL pages by adding "Cache-Control: no-store" and "Pragma: no-cache"
headers to their responses.
Reasoning: The application has responded with a response that indicates the page should be cached,
but cache controls aren't set (you can set "Cache-Control: no-store" or "Cache-Control: nocache"
or "Pragma: no-cache" to prevent caching).

 

( we do not use Oracle, so I assume this is not correct)

Oracle Log File Information Disclosure
Severity: Low
CVSS Score: 5.0
URL: https://name:6443/arcgis/rest/services/servicename/
Entity: sqlnet.trc (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
Causes: The web server or application server are configured in an insecure way
Fix: Turn off tracing, restrict access to the log file, or remove it.
Reasoning: AppScan requested a file which is probably not a legitimate part of the application. The
response status was 200 OK. This indicates that the test succeeded in retrieving the
content of the requested file.

 

0 Kudos
3 Replies
JonEmch
Esri Regular Contributor

Hey there Jason, thank for reaching out.

Been a while since I've seen a 10.2 question! I took the liberty of taking a look at your other case and comparing the security warnings. It seems to me that PSIRT is still analyzing these warnings, so its going to be hard to tell if they are apples to apples (versions aside) Due to the nature of the age of the Enterprise deployment, I would encourage you to continue the migration and see if these pop up in the 10.7.x deployment. Please keep me in the loop if this continues to occur there.

Keep on keeping on!
0 Kudos
JasonFitzsimmons
Occasional Contributor

hi and thanks for reply - yes PSIRT said the same thing essentially, I know that 10.2 is very old and there have ben many fixes since then. We are in the process of migrating to 10.7.1 on these servers now, and will re run the scan after that. 

JonEmch
Esri Regular Contributor

Sounds great Jason, I'm here if you have any related questions!

Keep on keeping on!
0 Kudos