Critical Security vulnerability found by HP WebInspect regarding input validation. Note, this is a critical security vulnerability that's currently prohibiting a customer-base Wiki application from deploying onto a NASA production server. Your quick response with explanation for vulnerability returning in your software or fix is required for further validation with NASA Information Assurance before they will allow production deployment of your software onto their servers. Report states: The 'Authorization' HTTP header line must have at least 270 A's. Demonstration Exploit: GET / HTTP/1.0 Authorization: Ax270. Implication: A remote user can execute arbitrary code on the target system.
@Shawn, we provide support here for starter licenses. :)
I asked the security team how I could help with your security concern and they advised me to direct you to How to Report a Security Issue.
It would be great if you could follow up here in the Community when you get an answer, in case someone else has the same issue.
Hi Ann, thanks for your suggestion. I have filed a security Issue here: https://securitysd.atlassian.net/servicedesk/customer/portal/2/SEC-1650
I tried to report a bug, as I thought that would be the quickest resolution, but I found I did not have permissions to submit a bug. So the link fir reporting a Security issue was where I needed to go.
I will report back here on its success. Most likely it is not an actual vulnerability, but as it is a common security inspection tool flagging a vulnerability, we have to follow up. Thanks for your help,
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG