Client penetration testing on 5.2.2408 revealed a number of medium and low-level concerns. Product development is working towards addressing most of these concerns within the next 4 months. This article has been created to track their progress.
For further information regarding penetration testing please reference the article below:
https://support.optimizely.com/hc/en-us/articles/4413199823245-Security-assessments
| API Rate Limiting | Medium |
The API exposes sensitive endpoints that is not protected by rate-limiting techniques. Attackers query the API significantly more than legitimate API consumers. This will allow attackers to overwhelm the server by consuming excessive computational resource, which can make the API and potentially other service on the server unavailable to the legitimate users |
This is on the roadmap |
The Configured Commerce product team acknowledges the concern and has it on the roadmap. They state that it requires deep research and involvement from multiple teams. |
| Improper Authorization | Medium | The Buyer role can change their account name by intercepting and modifying a PATCH request, despite this option being disabled in the user interface. |
Fixed in 5.2.2503 |
|
| Account Lockout Bypass via Race Condition | Medium | A race condition occurs when multiple login attempts are processed simultaneously before the account lockout mechanism can be triggered, allowing continuous guessing of credentials without being locked out |
Fixed in 5.2.2504 |
|
| Incomplete Account Logout Functionality | Medium | Logging out of the application does not forcefully invalidate the session cookie and bearer token. If these values become compromised, an attacker may take over a user’s session |
Fixed in 5.2.2410 STS and 5.2.2412 LTS |
|
| Weak Password Requirements | Medium | Commonly used passwords on top 100 password lists are allowed by the application. These passwords are highly targeted during password spraying attacks. |
The product team is researching options |
|
| Server-Side Request Forgery | Medium | There exists an authenticated endpoint that takes an arbitrary URL as a parameter that the server will make a request to. |
Fixed in 5.2.2501 STS and 5.2.2504 LTS |
|
| JWT Signature Exclusion | Medium | The application allows for the tampering of Java Web Tokens (JWT). Attackers can modify req |
Working As Designed |
The reported issue doesn't relate to the JWT signature validation. The change to Authorization header (which is the client id) and requested scopes before it ever gets a JWT token. Confirmation of this is that if this is done with a storefront user, you can get a JWT token, but that token can not be used to access the Admin Console functions. Also, if the token is tampered with, it will be invalid. |
| Hard-Coded Secrets | Medium | The application’s source code was found to have hard coded secretes including username and password. |
Working As Designed |
This basic auth header is required by IdentityServer to identify which SSO Client configuration to use, it is only an identifier and contains no comprisable information as the only OAuth flow enabled for the isc and isc_admin SSO Client configurations is the Resource Owner Password Credentials (ROPC) flow which requires the actual username and password to get an access token. |
| CKEditor Out of Date | Medium | CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A potential vulnerability has been discovered in CKEditor 4 Code Snippet GeSHi plugin. The vulnerability allowed a reflected XSS attack by exploiting a flaw in the GeSHi syntax highlighter library hosted by the victim. The GeSHi library was included as a vendor dependency in CKEditor 4 source files. In a specific scenario, an attacker could craft a malicious script that could be executed by sending a request to the GeSHi library hosted on a PHP web server. The GeSHi library is no longer actively maintained. Due to the lack of ongoing support and updates, potential security vulnerabilities have been identified with its continued use. To mitigate these risks and enhance the overall security of the CKEditor 4, we have decided to completely remove the GeSHi library as a dependency. This change aims to maintain a secure environment and reduce the risk of any security incidents related to outdated or unsupported software. |
We will replace CKEditor in the Admin Console with Tiny. | |
| REQUEST URL OVERRIDE | Medium | The application appears to support HTTP headers that can be used to override parts of the request URL, potentially affecting processing of the request. In some cases, these headers can be used to bypass protection systems and could be used to forge log entries |
Working as Designed. |
This is a known behavior. Changing this behavior would intefere with customers using x-forwarded-host |
| SSL Cookie Without Secure Flag Set | Medium | cookie.cms_CurrentContentMode |
Working as Designed |
CurrentContentMode is used to determine if the CMS shell is in edit or view mode. If someone were to change this cookie to edit mode, they could potentially see unpublished content. This cookie value is signed in a secure way so that we can trust the cookie values. Changing the cookie to "httponly" is not an option with the use of JS.
|
| AngularJS Out of Date/End of Life | Medium | Improper sanitization of the value of the '[srcset]' attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing . This issue affects AngularJS versions 1.3.0-rc.4 and greater |
New development in Admin Console uses React. Will be phased out over time |
|
| PASSWORD SUBMITTED VIA THE GET METHOD | Medium |
A form within the affected page appears to transmit user passwords within the query string (using the GET method). Sensitive data within URLs may be logged at a All user credentials including passwords and session tokens should be transmitted using the POST method. |
Working as Designed |
This is a false positive by the scanner. It’s submitted via javascript (via a submit button) - scanner sees a form without a method attached and a submit button and assumes it’s using a GET when it is not |
| POSSIBLE SESSION TOKEN IN URL | Medium | The Application passes authentication tokens within the URL. These tokens may be stored in various locations, including the user's web browser, the server and in any forward or reverse proxies. If an attacker can recover the token, they may be able to use the token to interact with the application as that user. |
Addressed in 5.2.2409 and later
|
It's not a session token, it's an anti forgery token, not an issue |
| JQuery Out of Date/ End of Life | Medium |
Will be addressed with the removal of CKEditor |
References to jQuery will be removed when CKEditor is removed. References will be removed at the same time as CKEditor |
|
| FRAMEABLE URL COULD ALLOW CLICKJACKING ATTACKS | Low | It may be possible for a web page controlled by an attacker to load the affected application (or specific pages) within an iframe on the attacker's page. This may allow a "clickjacking" attack whereby the attacker's page overlays the target application with a different interface designed to trick the user into performing unwanted actions. Note that this issue is being reported because the application's response does not set a suitable X-Frame-Options header in order to prevent framing attacks |
||
| POSSIBLE PATH TRAVERSAL VIA PATH PARAMETER OBFUSCATION | Low | The application appears to support path parameters. It is sometimes possible to access sensitive files or other restricted components by using path parameters to bypass route matching rules. | Unable to recreate in the latest release. | couldn't recreate |
| CACHEABLE HTTPS RESPONSES | Low | Unless directed otherwise, browsers may store a locally cached copy of content received from web servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS. If sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same computer at a future time. |
This rule is out of date. Nobody uses Internet Explorer anymore and Spire has never supported it. The entire internet uses HTTPS. To suggest that caching HTTPS responses should be blocked would be, you're a significant negative effect on site performance and the user experience | |
| Incomplete Client-Side Inactivity Timeout | Low | When a user’s session expires, their active window is not redirected to a timeout or login page. Any information on the page remains exposed. | Working as Designed. |
This is currently designed behavior on Storefront, any action on a website after session timeout will redirect user to SignIn page.
|
|
Low |
|
Working as Designed. |
CSP is a blank-by-default admin console field. If the default is to be something secure, it'll break some sites when they deploy the upgrade. |
|
Low |
|
This is relates to a configuration in Cloudflare that is being taken into consideration.
|
|
| Simultaneous User Sessions Allowed | Low | Threat actor would be able to access the account at the same time as the user without the user's knowledge |
|
|
| Unauthorized Administrative Access | Low | An anonymous user on the internet can access administrative pages, which reveal password requirements about the administrator account. |
|
|
| Use of HTTP Basic Authentication | Low | The application utilizes HTTP basic authentication, which reveals username and passwords to anonymous users | Working as Designed. | Not an issue as described: TLS prevents unauthorized 3rd parties from monitoring communications between the browser and server. |
| Insufficient Cookie Protection | Low | When using the Remember Me functionality on login the new cookie that acts as a session cookie is not set with the HttpOnly directive. If an attacker identifies a Cross-Site Scripting (XSS) vulnerability they will be able to extract the cookie. |
Working as Designed. |
We use this cookie in JS code so it's not possible to mark it as httpOnly. |
| Predictable Session Identifier | Low | The Remember Me functionality uses the same session cookie value when a user is authenticated. This increases the attack surface of the session cookie as it is static. | ||
| Exposed Swagger UI | Low | The swagger page is exposed to the public and reveals the API model including the admin API. Attackers may use this information to more easily target the API. | Working as Designed. | This doesn't leak access to any application data of any kind and isn't practically fixable as the API documentation is public and undocumented APIs can be reverse engineered from the JavaScript code. |
| Using Components with Known Vulnerabilities | Low | The potential attack surface of the application is increased due to the usage of components with known vulnerabilities. These vulnerabilities could not be directly exploited in the current application context. | ||
| Web Application Firewall Bypass | Info/Low | The Cloudflare Web Application Firewall (WAF) can be bypassed by simply adding 128 KB of benign junk data before any payload |
Reported Version
Cloud
Cause
Medium and Low penetration test concerns.
Workaround
N\A
Resolutions will be posted below. Please use the Follow button to receive status updates.
Please sign in to leave a comment.