UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21. Read more.
UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21.Read more.
Micro Focus Expert
Micro Focus Expert
711 views

Solve vulnerabilities in Identity Apps 4.7

Hi,

My customer is going to install IDM 4.7.

They need to know if the following vulnerabilities have a solution in Identity Aplications:


1. Allow to configure the following security headers.

* Header name: x-Frame-options: 1; mode=block.
* Header name: X-Permitted-Cross-Domain-Policies: by-content-type.

2. Disable the autocomplete password settings, for example:

* <form action="index.cgi" autocomplete="off" method="post" id="login_form" name="login_form">
* <INPUT TYPE="password" AUTOCOMPLETE="off">

3. Disable the TLS 1.0 protocol and only TLS 1.2 works.

4. Avoid Cross-site-request-forgery

TIA
Labels (1)
0 Likes
3 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

On 2018-05-19 00:46, esilva wrote:
>
> Hi,
>
> My customer is going to install IDM 4.7.
>
> They need to know if the following vulnerabilities have a solution in
> Identity Aplications:
>
>
> 1. Allow to configure the following security headers.
>
> * Header name: x-Frame-options: 1; mode=block.
> * Header name: X-Permitted-Cross-Domain-Policies: by-content-type.
>
> 2. Disable the autocomplete password settings, for example:
>
> * <form action="index.cgi" autocomplete="off" method="post"
> id="login_form" name="login_form">
> * <INPUT TYPE="password" AUTOCOMPLETE="off">
>
> 3. Disable the TLS 1.0 protocol and only TLS 1.2 works.
>
> 4. Avoid Cross-site-request-forgery
>
> TIA
>
>

Hello

If your customer has found any security vulnerabilities they should
report them the proper way.

https://www.microfocus.com/support-and-services/report-security/

You know that any user can bypass autocomplete=off?

The customer should configure their application server correctly if they
want to turn off TLS v1.0, it has nothing to do with Idm Apps...

-alekz
0 Likes
Micro Focus Expert
Micro Focus Expert

alekz;2481211 wrote:
On 2018-05-19 00:46, esilva wrote:
>
> Hi,
>
> My customer is going to install IDM 4.7.
>
> They need to know if the following vulnerabilities have a solution in
> Identity Aplications:
>
>
> 1. Allow to configure the following security headers.
>
> * Header name: x-Frame-options: 1; mode=block.
> * Header name: X-Permitted-Cross-Domain-Policies: by-content-type.
>
> 2. Disable the autocomplete password settings, for example:
>
> * <form action="index.cgi" autocomplete="off" method="post"
> id="login_form" name="login_form">
> * <INPUT TYPE="password" AUTOCOMPLETE="off">
>
> 3. Disable the TLS 1.0 protocol and only TLS 1.2 works.
>
> 4. Avoid Cross-site-request-forgery
>
> TIA
>
>

Hello

If your customer has found any security vulnerabilities they should
report them the proper way.

https://www.microfocus.com/support-and-services/report-security/

You know that any user can bypass autocomplete=off?

The customer should configure their application server correctly if they
want to turn off TLS v1.0, it has nothing to do with Idm Apps...

-alekz


Hi Alekz,

Great information !

TIA
0 Likes
Micro Focus Expert
Micro Focus Expert

On 2018-05-19 00:46, esilva wrote:
> 2. Disable the autocomplete password settings, for example:
>
> * <form action="index.cgi" autocomplete="off" method="post"
> id="login_form" name="login_form">
> * <INPUT TYPE="password" AUTOCOMPLETE="off">


Why would you want to do this?

From
https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion:

many modern browsers do not support autocomplete="off" for login fields:

If a site sets autocomplete="off" for a form, and the form includes
username and password input fields, then the browser will still offer to
remember this login, and if the user agrees, the browser will autofill
those fields the next time the user visits the page.
If a site sets autocomplete="off" for username and password input
fields, then the browser will still offer to remember this login, and if
the user agrees, the browser will autofill those fields the next time
the user visits the page.

This is the behavior in Firefox (since version 38), Google Chrome (since
34), and Internet Explorer (since version 11).

--
Norbert
--
Norbert
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.