0

Unwanted output from /zkau?dtid=

asked 2014-01-16 07:33:12 +0800

onjo gravatar image onjo
3

Hi.

We had a security/penetration audit on our ZK 6.5 WebApp. One of the issues is output from request /zkau?dtid=... which at simplest (no dtid value) returns {"rs":[]} When more parameters used - like /zkau?dtid=znko&cmd0=onChange&uuid0=bQ9Ql&data0=0 the output is more complex.

The main concern about this fact is that this output is available even for not authenticated user and could be abused by attacker to target his attack more precisely by providing clues on possible code design.

I would like to know, how is possible to deny access to this with some zk settings or in zk source code( by generating HTTP 403 error ) or at least to deny access for not authenticated users.

Thank you in advance.

delete flag offensive retag edit
Be the first one to answer this question!
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools

Follow
1 follower

RSS

Stats

Asked: 2014-01-16 07:33:12 +0800

Seen: 6 times

Last updated: Jan 16 '14

Related questions

ZK 6.5.3 is now released

Controller updating UI every minute

annotation porting from zk 3.6.2 to 6.5.3

How to customize "Processing..." message

JBoss AS 7.1 +Spring+ZK+DHtmlLayoutServlet

GMaps 3.0.1 and ZK 6.5.3

Portallayout, portalchildren ordering storage, possible bug

Sniffer Based Monitoring of ZK Apps

The server is temporarily out of service. (syntax error (SyntaxError))

Migrating from ZK 6.5 to 7. Are there any changes?

About Us | Faq | Help | Privacy Policy | Contact Us
Copyright Potix Corporation 2015.
Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More