hxclient_S_v3_1_4.js.arc will show senstive information
We found the following URL will show senstive information after run APPSCAN in both RAM 7.2 version and 7511:
GET /cloud/enterprise/ram/.ibmjsfres/hxclient_S_v3_1_4.js.arc returns the contents of the file
recommenadation
Do not keep archived versions of files underneath the virtual web server root. Instead, keep the archive files outside the virtual root. Make sure that only the files that are actually in use reside under the virtual root.
The problem is:
It is possible to download temporary script files, which can expose the application logic and other sensitive information such as usernames and passwords
GET /cloud/enterprise/ram/.ibmjsfres/hxclient_S_v3_1_4.js.arc returns the contents of the file
recommenadation
Do not keep archived versions of files underneath the virtual web server root. Instead, keep the archive files outside the virtual root. Make sure that only the files that are actually in use reside under the virtual root.
The problem is:
It is possible to download temporary script files, which can expose the application logic and other sensitive information such as usernames and passwords
Accepted answer
There is no .arc file. .ibmjsfres is standard Java Server Faces. The .arc was added by your appscan but there is no such file. The standard Faces servlet ignores the .arc and is returning the standard file /.ibmjsfres/hxclient_S_v3_1_4.js instead. (JSF ignores EVERYTHING after the .js. I tried .arcasdf and it still returned the exact same file and this obviously no extension .arcasdf in any system).
There are NO arc files on the system. There are no temporary files.
This is a standard Java Server Faces javascript file. There is no secret information. It is a static content file that anyone and everyone gets sent to their browser when Faces is in use. It contains JSF utilities that are required on the browser itself to convert date and time to different locales.
This is simply a problem with the configuration of APPSCAN. It returns everything but it doesn't understand the semantics behind it. It requires someone to understand that APPSCAN returns MANY false positives that need to be sorted out and ignored. And this is one of these false positives.
There are NO arc files on the system. There are no temporary files.
This is a standard Java Server Faces javascript file. There is no secret information. It is a static content file that anyone and everyone gets sent to their browser when Faces is in use. It contains JSF utilities that are required on the browser itself to convert date and time to different locales.
This is simply a problem with the configuration of APPSCAN. It returns everything but it doesn't understand the semantics behind it. It requires someone to understand that APPSCAN returns MANY false positives that need to be sorted out and ignored. And this is one of these false positives.