It's all about the answers!

Ask a question

hxclient_S_v3_1_4.js.arc will show senstive information

pan tianming (4765444) | asked Oct 25 '12, 10:00 p.m.
We found the following URL will show senstive information after run APPSCAN  in both RAM 7.2 version and 7511:
GET /cloud/enterprise/ram/.ibmjsfres/hxclient_S_v3_1_4.js.arc returns the contents of the file

Do not keep archived versions of files underneath the virtual web server root. Instead, keep the archive files outside the virtual root. Make sure that only the files that are actually in use reside under the virtual root.

The problem is:
It is possible to download temporary script files, which can expose the application logic and other sensitive information such as usernames and passwords

Accepted answer

permanent link
Rich Kulp (3.6k38) | answered Oct 26 '12, 11:31 a.m.
There is no .arc file. .ibmjsfres is standard Java Server Faces. The .arc was added by your appscan but there is no such file. The standard Faces servlet ignores the .arc and is returning the standard file /.ibmjsfres/hxclient_S_v3_1_4.js instead. (JSF ignores EVERYTHING after the .js. I tried .arcasdf and it still returned the exact same file and this obviously no extension .arcasdf in any system).

There are NO arc files on the system. There are no temporary files.

This is a standard Java Server Faces javascript file. There is no secret information. It is a static content file that anyone and everyone gets sent to their browser when Faces is in use. It contains JSF utilities that are required on the browser itself to convert date and time to different locales.

This is simply a problem with the configuration of APPSCAN. It returns everything but it doesn't understand the semantics behind it. It requires someone to understand that APPSCAN returns MANY false positives that need to be sorted out and ignored. And this is one of these false positives.
pan tianming selected this answer as the correct answer

Your answer

Register or to post your answer.