Hi , We are working on ignite on Kubernetes environment and using Ignite-web-console for querying. When we ran security scan on Ignite web console there are some security issues reported by the scans. Below are the issues. All the below issue are reported as HIGH severity.
Could you please let me know if any of these issues are known issues and are being fixed. If so , please share the release version in which these will be fixed. *1. Cross-Site Scripting* URL: https://xx.xx.xx.xx/api/v1/configuration/clusters/ Entity: (Page) Risk: It may be possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user Causes: Sanitation of hazardous characters was not performed correctly on user input Difference: Path manipulated from: /api/v1/configuration/clusters/ to: /api/v1/configuration/clusters/%22%3e%3cscript%3ealert%282176%29%3c%2fscript%3e Reasoning: The test result seems to indicate a vulnerability because Appscan successfully embedded a script in the response, which will be executed when the page loads in the user's browser. Raw Test Response: ... X-XSS-Protection: 1; mode=block Content-Length: 100 X-Content-Type-Options: nosniff Cache-Control: must-revalidate Strict-Transport-Security: max-age=15724800; includeSubDomains X-Powered-By: Express ETag: W/"64-whlLflliupqQjcgi+KGMzaGUR6I" Date: Wed, 08 May 2019 16:15:49 GMT Expires: -1 Content-Type: text/html; charset=utf-8 Cast to ObjectId failed for value "">" at path "_id" for model "Cluster" *2. Oracle Application Server PL/SQL Unauthorized SQL Query Execution* URL: https://xx.xx.xx.xx/api/ Entity: owa_util.signature (Page) Risk: It is possible to view, modify or delete database entries and tables Causes: Insecure web application programming or configuration Difference: Method manipulated from: POST to: GET Path manipulated from: /api/v1/user to: /api/owa_util.signature Reasoning: AppScan requested a file which is probably not a legitimate part of the application. The response status was 200 OK. This indicates that the test succeeded in retrieving the content of the requested file. Raw Test Response: ... User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Referer: https://xx.xx.xx.xx/ Connection: keep-alive Host: xx.xx.xx.xx Origin: https://xx.xx.xx.xx Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.9 HTTP/1.1 200 OK Last-Modified: Tue, 02 Apr 2019 12:35:57 GMT x-ua-compatible: IE=Edge Connection: keep-alive X-XSS-Protection: 1; mode=block Accept-Ranges: bytes Vary: Accept-Encoding Vary: Accept-Encoding Content-Length: 1370 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=15724800; includeSubDomains content-language: en ETag: "5ca3572d-55a" Date: Wed, 08 May 2019 16:08:33 GMT Content-Type: text/html <!DOCTYPE html><html><head><base href="/"><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta http-equiv="content-language" content="en... ... <b>3. Oracle Application Server PL/SQL Unauthorized SQL Query Execution* URL: https://xx.xx.xx.xx/api/ Entity: owa_util.listprint (Page) Risk: It is possible to view, modify or delete database entries and tables Causes: Insecure web application programming or configuration Difference: Method manipulated from: POST to: GET Path manipulated from: /api/v1/user to: /api/owa_util.listprint Query manipulated from: to: p_theQuery=SELECT%20*%20FROM%20SYS.TAB&p_cname=&p_nsize= Reasoning: AppScan requested a file which is probably not a legitimate part of the application. The response status was 200 OK. This indicates that the test succeeded in retrieving the content of the requested file. Content-Type: text/html <!DOCTYPE html><html><head><base href="/"><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta http-equiv="content-language" content="en... ... Raw Test Response: ... User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Referer: https://xx.xx.xx.xx/ Connection: keep-alive Host: xx.xx.xx.xx Origin: https://xx.xx.xx.xx Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.9 HTTP/1.1 200 OK Last-Modified: Tue, 02 Apr 2019 12:35:57 GMT x-ua-compatible: IE=Edge Connection: keep-alive X-XSS-Protection: 1; mode=block Accept-Ranges: bytes Vary: Accept-Encoding Vary: Accept-Encoding Content-Length: 1370 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=15724800; includeSubDomains content-language: en ETag: "5ca3572d-55a" Date: Wed, 08 May 2019 16:08:33 GMT Content-Type: text/html <!DOCTYPE html><html><head><base href="/"><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta http-equiv="content-language" content="en... ... <b>4. SQL Injection File Write (requires user verification)* URL: https://xx.xx.xx.xx/assets/templates/confirm.tpl.164bcc1d08730e53bccd623695ce4351.html Entity: xx.xx.xx.xx (Page) Risk: It is possible to run remote commands on the web server. This usually means complete compromise of the server and its contents Causes: Sanitation of hazardous characters was not performed correctly on user input Difference: Reasoning: The user needs to verify whether this test succeeded or not. Please see the advisory for more details. <!DOCTYPE html><html><head><base href="/"><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta http-equiv="content-language" content="en... ... Raw Test Response: HTTP/1.1 200 OK Last-Modified: Tue, 02 Apr 2019 12:35:57 GMT Connection: keep-alive X-XSS-Protection: 1; mode=block Accept-Ranges: bytes Vary: Accept-Encoding Vary: Accept-Encoding Content-Length: 1057 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=15724800; includeSubDomains ETag: "5ca3572d-421" Date: Wed, 08 May 2019 16:08:26 GMT Content-Type: text/html <div class="modal modal--ignite theme--ignite" tabindex="-1" role="dialog"><div class="modaldialog modal-dialog--adjust-height"><div class="modal-content"><div class="modal-header"> Confirmation <button class="close" type="button" arialabel=" Close" ng-click="confirmCancel()"><svg ignite-icon="cross"></svg></button></div><div class="modal-body" ng-show="content"><p ng-bind-html="content"></p></div><div class="modalfooter">< div><button class="btn-ignite btn-ignite--link-success" id="confirm-btn-cancel" ngclick=" confirmCancel()">Cancel</button><button class="btn-ignite btn-ignite--link-success" id="confirm-btn-no" ng-if="yesNo" ng-click="confirmNo()">No</button><button class="btn-ignite btn-ignite--success" id="confirm-btn-yes" ignite-auto-focus**CONFIDENTIAL 1**-auto-focus" ngif=" yesNo" ng-click="confirmYes()">Yes</button><button class="btn-ignite btn-ignite--success" id="confirm-btn-ok" ignite-auto-focus**CONFIDENTIAL 1**-auto-focus" ng-if="!yesNo" ngclick=" confirmYes()">Confirm</button></div></div></div></div></div>... -- Sent from: http://apache-ignite-users.70518.x6.nabble.com/
