It's all about the answers!

Ask a question

hxclient_S_v3_1_4.js.arc will show senstive information


pan tianming (4765644) | asked Oct 25 '12, 10:00 p.m.
We found the following URL will show senstive information after run APPSCAN  in both RAM 7.2 version and 7511:
GET /cloud/enterprise/ram/.ibmjsfres/hxclient_S_v3_1_4.js.arc returns the contents of the file

recommenadation
Do not keep archived versions of files underneath the virtual web server root. Instead, keep the archive files outside the virtual root. Make sure that only the files that are actually in use reside under the virtual root.


The problem is:
It is possible to download temporary script files, which can expose the application logic and other sensitive information such as usernames and passwords

Accepted answer


permanent link
Rich Kulp (3.6k38) | answered Oct 26 '12, 11:31 a.m.
FORUM MODERATOR / JAZZ DEVELOPER
There is no .arc file. .ibmjsfres is standard Java Server Faces. The .arc was added by your appscan but there is no such file. The standard Faces servlet ignores the .arc and is returning the standard file /.ibmjsfres/hxclient_S_v3_1_4.js instead. (JSF ignores EVERYTHING after the .js. I tried .arcasdf and it still returned the exact same file and this obviously no extension .arcasdf in any system).

There are NO arc files on the system. There are no temporary files.

This is a standard Java Server Faces javascript file. There is no secret information. It is a static content file that anyone and everyone gets sent to their browser when Faces is in use. It contains JSF utilities that are required on the browser itself to convert date and time to different locales.

This is simply a problem with the configuration of APPSCAN. It returns everything but it doesn't understand the semantics behind it. It requires someone to understand that APPSCAN returns MANY false positives that need to be sorted out and ignored. And this is one of these false positives.
pan tianming selected this answer as the correct answer

Your answer


Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.