Recently a security audit has been done on our servers and applications which has ArcGIS enterprise installed on it.
Our Architecture setup :
We have ArcGIS installed on the server, ArcGIS exposes its data via its restful api for its clients which is authenticated with OAuth2 token security (Out of the box ESRI Feature) We have mobile applications for both iOS/Android and web which are built on top of ESRI SDK’s.some of the features in the app consumes data from ArcGIS rest services for their functioning.
The audit reported a potential vulnerability stating that one of the rest service disclose sensitive informations including email and phone numbers even for non authenticated users.
consider web application, we make use of esri’s proxy files to manage access to our resources for them. the vulnerability is found for the following feature server query through the rest interface,
/webapp/proxy/proxy.ashx?https://www.site.com/ArcGIS/rest/services/PublicPortal/xxxxxx/FeatureServer/0/query?f=json&where=EMA...*
I understand this as a problem with the ArcGIS rest services, but I’m not sure about this, if some one could, please clarify the following points
1)what could be done to mitigate this problem.
Kindly please help.
