ArcGIS Server Manager Security Issue

DimitarKolev · ‎06-20-2014

I see very easily exploited security issue with the ArcGIS 10+ Server Manager login.
Instead of redirecting to secured login page, a modal container is displayed on top of the page.
Very poor security design.

You can easily delete the LoginFormBackdrop in Chrome and circumvent the login.
Hacker's paradise.

[ATTACH=CONFIG]34767[/ATTACH]

To be secure, DO NOT Enable administrative access to your site through the Web Adaptor.
I don't know how ESRI let that go for so long without a fix.

[ATTACH=CONFIG]34768[/ATTACH]

chandesrisbasile1 · ‎07-02-2014

Yes, that is why we do not use Web Adaptor.

http://forums.arcgis.com/threads/106739-Web-Adaptor-with-Admin-rights?highlight=token

http://resources.arcgis.com/en/help/main/10.1/index.html#/Configuring_the_Web_Adaptor_after_installa...

http://resources.arcgis.com/en/help/main/10.2/index.html#/Configuring_the_Web_Adaptor_after_installa...

I see very easily exploited security issue with the ArcGIS 10+ Server Manager login.
Instead of redirecting to secured login page, a modal container is displayed on top of the page.
Very poor security design.

You can easily delete the LoginFormBackdrop in Chrome and circumvent the login.
Hacker's paradise.

[ATTACH=CONFIG]34767[/ATTACH]

To be secure, DO NOT Enable administrative access to your site through the Web Adaptor.
I don't know how ESRI let that go for so long without a fix.

[ATTACH=CONFIG]34768[/ATTACH]