-
FEATURED COMPONENTS
First time here? Check out the FAQ!
Hi.
We had a security/penetration audit on our ZK 6.5 WebApp. One of the issues is output from request /zkau?dtid=... which at simplest (no dtid value) returns {"rs":[]} When more parameters used - like /zkau?dtid=znko&cmd0=onChange&uuid0=bQ9Ql&data0=0 the output is more complex.
The main concern about this fact is that this output is available even for not authenticated user and could be abused by attacker to target his attack more precisely by providing clues on possible code design.
I would like to know, how is possible to deny access to this with some zk settings or in zk source code( by generating HTTP 403 error ) or at least to deny access for not authenticated users.
Thank you in advance.
Asked: 2014-01-16 07:33:12 +0800
Seen: 6 times
Last updated: Jan 16 '14
Controller updating UI every minute
annotation porting from zk 3.6.2 to 6.5.3
How to customize "Processing..." message
JBoss AS 7.1 +Spring+ZK+DHtmlLayoutServlet
Portallayout, portalchildren ordering storage, possible bug
Sniffer Based Monitoring of ZK Apps
The server is temporarily out of service. (syntax error (SyntaxError))