Highlighted
Super Contributor.
Super Contributor.
1399 views

Anybody heard of Micro Focus DSD?

Jump to solution
We installed COBOL Server 2.3 Update 1 on a Windows Server 2008 server with File Share as the only server role installed/setup/enabled. Our IT security people periodically run a commercially available network scanning tool they refer to as ACAS in order to assure compliance with all of Navy's rules. The following is an excerpt from an e-mail my supervisor just received from them - The software/website is part of the Micro Focus DSD package. It's likely an embedded webserver installed as part of that package. There may be an update to the software, or there may be no way to fix this other than through the vendor. This is the output from the ACAS plugin: When processing the following request : GET / HTTP/1.0 this web server leaks the following private IP address : 172.17.5.118 as found in the following collection of HTTP headers : HTTP/1.0 200 OK Server: Micro Focus DSD 1.20.15 Cache-control: private,no-cache ?Pragma: no-cache Expires: -1 Content-Type: text/html Set-Cookie: MF_CLIENT=mfuser ; path=/; HttpOnly MF-Cookie-1: MF_CLIENT=mfuser ; Set-Cookie: MF_SESSION=d47636b0 ; path=/; HttpOnly MF-Cookie-2: MF_SESSION=d47636b0 ; Set-Cookie: MF_DS=172.17.5.118:86 ; path=/; HttpOnly MF-Cookie-3: MF_DS=172.17.5.118:86 ; Set-Cookie: MF_CONTACT=1462794401 ; path=/; HttpOnly MF-Cookie-3: MF_CONTACT=1462794401 ; Content-Length: 35432 Since this server doesn't have IIS installed or active, how can it be responding to web requests? And what is Micro Focus DSD?
0 Likes
1 Solution

Accepted Solutions
Highlighted
Micro Focus Expert
Micro Focus Expert

RE: Anybody heard of Micro Focus DSD?

Jump to solution

"Micro Focus DSD" is the name that MFDS, the Micro Focus Directory Server, uses to identify itself in HTTP responses. It's not a separate product; it's part of several Micro Focus products, including Visual COBOL, Enterprise Developer, and Enterprise Server.

IIS is only one HTTP server among many. The absence of IIS just means IIS won't be responding to HTTP requests. In this case, it's MFDS that's responding to the requests from ACAS.

I would call the "issue" being reported by ACAS a false positive - in fact, I think it's a meaningless check. Unfortunately most of these web scanning tools are rather poor quality; they flag many things that have little or no security impact, or are outright incorrect.

If you need to have this changed to comply with a requirement, please open an incident and ask your Micro Focus Customer Care representative to raise a problem report so Development can schedule a change. (It's not really accurate to call it a "fix", since the existing behavior isn't broken, except in the mind of whoever added that check to ACAS.)

View solution in original post

0 Likes
2 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

RE: Anybody heard of Micro Focus DSD?

Jump to solution

"Micro Focus DSD" is the name that MFDS, the Micro Focus Directory Server, uses to identify itself in HTTP responses. It's not a separate product; it's part of several Micro Focus products, including Visual COBOL, Enterprise Developer, and Enterprise Server.

IIS is only one HTTP server among many. The absence of IIS just means IIS won't be responding to HTTP requests. In this case, it's MFDS that's responding to the requests from ACAS.

I would call the "issue" being reported by ACAS a false positive - in fact, I think it's a meaningless check. Unfortunately most of these web scanning tools are rather poor quality; they flag many things that have little or no security impact, or are outright incorrect.

If you need to have this changed to comply with a requirement, please open an incident and ask your Micro Focus Customer Care representative to raise a problem report so Development can schedule a change. (It's not really accurate to call it a "fix", since the existing behavior isn't broken, except in the mind of whoever added that check to ACAS.)

View solution in original post

0 Likes
Highlighted
Super Contributor.
Super Contributor.

RE: Anybody heard of Micro Focus DSD?

Jump to solution

Thank you for the response.  I've followed your advice and opened an incident.  If I can't "close this hole", so to speak, then I will perpetually have to describe/explain/defend its existence to the never-ending column of admin-type managers sticking their noses into technical matters.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.