#1 2017-11-20 12:15:32

GauravKumar
Member
Registered: 2017-05-26

Security Issues

Hi Team,

My Report Server version is 3.0.2.
We faced the following security issues.
If possible , kindly provide solution.

1. Click-Jacking(UI redress attack)  is possible
2. User Password is sent in clear text which can be intercepted
3. Simultaneous Login from one account is possible
4. Dangerous methods such as TRACE, PUT, DELETE, TRACK, OPTIONS, HEAD are allowed
5. Missing HTTP Security headers in responses
6. Restrict certain types of file-upload (.jsp,.html...)

Offline

#2 2017-11-21 14:59:51

jalbrecht
Administrator
Registered: 2016-10-21

Re: Security Issues

Hi Gaurav,

1. Click-Jacking(UI redress attack)  is possible
Click-Jacking is an issue that can be resolved by configuring Security Headers (X-Frame-Options). This can be achieved by configuring the server (e.g. apache/tomcat) appropriately. Pls. check the links below to gather some insight:

https://geekflare.com/tomcat-http-security-header/
http://www.globaldots.com/8-http-securi … practices/
https://www.dionach.com/blog/an-overvie … ty-headers
https://geekflare.com/http-header-implementation/

2. User Password is sent in clear text which can be intercepted
Enable SSL/TLS when using reportserver which we do recommend strongly anyway. If so the password will be encrypted on the way. This also ensures reasonable protection from eavesdroppers, phishing and man-in-the-middle attacks, provided that adequate cipher suites are used and that the server certificate is verified and trusted.

If this is not applicable in your environment check: https://reportserver.net/en/guides/conf … roperties/ (-> 3.2.2. Authentication settings / ChallengeResponsePAM)

3. Simultaneous Login from one account is possible
Works as designed. Why would that be a security-issue ?

4. Dangerous methods such as TRACE, PUT, DELETE, TRACK, OPTIONS, HEAD are allowed
This depends on the configuration of your application server (e.g. apache/tomcat). For further information on configuring apache/tomcat to restrict methods check:

https://support.ca.com/us/knowledge-bas … 46647.html
https://www.onwebsecurity.com/security/ … thods.html

5. Missing HTTP Security headers in responses
Check the answer 1.. We will consider if and how to ease configuration of some of these headers on application level. Nevertheless it is highly recommended to secure your environment independently of the application. Check the links below for some further insight.

https://geekflare.com/tomcat-http-security-header/
http://www.globaldots.com/8-http-securi … practices/
https://www.dionach.com/blog/an-overvie … ty-headers
https://geekflare.com/http-header-implementation/

6. Restrict certain types of file-upload (.jsp,.html...)
Works as designed. Why would that be a security-issue ?
Uploads can only be performed if permitted by reportserver. The execute script permission should only be given to a (very) restricted group of users since scripts can do harm !

For more information on reportserver security check:

https://reportserver.net/en/guides/conf … roperties/ (-> encryption)
https://reportserver.net/en/guides/admi … arameters/  (-> sql injection)

Thus said, we do not recommend to run a from the shelf bitnami installation as production environment without altering the configuration to cope with the security requirements of the environment.

happy securing ...

wbr jan

Offline

#3 2017-11-21 18:14:44

karolina
Member
Registered: 2014-08-09

Re: Security Issues

Jan
Many thanks for this information

All the best - karolina

Offline

#4 2017-12-08 06:31:49

GauravKumar
Member
Registered: 2017-05-26

Re: Security Issues

Hi Jan,

3. Simultaneous Login from one account is possible
Works as designed. Why would that be a security-issue ?

For this issue our security team claims that if a user forgets to logout from a workstation and logs in from other workstation.

Offline

#5 2017-12-08 07:52:42

eduardo
Administrator
Registered: 2016-11-01
Website

Re: Security Issues

Hi GauravKumar,

why should this be an issue?
If a user forgets to logout from a workstation, he/she will still need his/her password in order to be able to log in from the other workstation.

For this purpose, you have the session timeout. This is configured via tomcat.
After the session timeout, the user will be automatically logged out. It would make no difference if the user can be able to login from another workstation or not. The point is what to do if a user forgets to sign out. THIS is the "security issue". And for solving it, the session timeout is used. You can change it: some more information here: https://forum.reportserver.net/viewtopic.php?id=367

Regards,
Eduardo

Offline

#6 2017-12-08 11:21:37

GauravKumar
Member
Registered: 2017-05-26

Re: Security Issues

Hi Eduardo,

Can by any means any configuration is possible by which I can have Single Sign On Enabled in Report Server.

Offline

#7 2017-12-08 11:37:29

eduardo
Administrator
Registered: 2016-11-01
Website

Re: Security Issues

Hi GauravKumar,

yes, you have to configure the PAM scripts for this. Check https://forum.reportserver.net/viewtopic.php?id=995 for some details on using CAS SSO.

Regards,
Eduardo

Offline

Board footer

Powered by FluxBB