logo
Welcome Guest! To enable all features please Login or Register.

Notification

Icon
Error

Options
Go to last post Go to first unread
dickieong  
#1 Posted : Wednesday, March 14, 2018 8:41:57 AM(UTC)
dickieong


Rank: Guest

Joined: 10/20/2017(UTC)
Posts: 5

Thanks: 1 times
Dear All,

I had installed ScreenConnect software in our Window Server 2012 R2.
After that our system admin had sent me Acunetix Security Audit report.

I got one Insecure CORS configuration of ScreenConnect server.

CORS (Cross-Origin Resource Sharing) defines a mechanism to enable client-side cross-origin requests. This application is using CORS in an insecure way. The web application returns the following headers:
  • Access-Control-Allow-Credentials: true
    Access-Control-Allow-Origin: copy of the Origin header from request


In this configuration any website can issue requests made with user credentials and read the responses to these requests.
Impact
Any website can issue requests made with user credentials and read the responses to these requests.
Recommendation
Allow only selected, trusted domains in the Access-Control-Allow-Origin header.
Affected items
/Services/PageService.ashx/GetGuestSessionInfo
Details
Request headers
POST /Services/PageService.ashx/GetGuestSessionInfo HTTP/1.1
Referer: http://umrs-tmp.pclan.umac.mo:8040/
Origin: http://35hohagx.com
X-Unauthorized-Status-Code: 403
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Content-Type: application/json
Accept: */*
Content-Length: 9
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept-Language: en-US,*
Host: umrs-tmp.pclan.umac.mo:8040
Acunetix-Product: WVS/11.0 (Acunetix - WVSE)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm
[[],[],0]

How can I change the ScreenConnect web server configuration ?

ScreenConnect version : 6.1.12292.6236
Server : Window Server 2012 R2
Scott  
#2 Posted : Wednesday, March 14, 2018 11:19:53 AM(UTC)
Scott


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,764
United States

Thanks: 3 times
Was thanked: 338 time(s) in 292 post(s)
Are you just wanting to append the X-Frame-Options header to the response and set it to deny? If not, can you elaborate a bit more on what you believe will resolve this?

If that is what you're looking to do, you can create an Extension to accomplish it. The Extension needs two files, a Manifest.xml and a XFrameOriginsHeaderModule.cs.

The Manifest.xml would contain:
Code:

<?xml version="1.0" encoding="utf-8"?>
<ExtensionManifest>
	<Version>1.0</Version>
	<Name>Deny X-Frame-Options</Name>
	<Author>ConnectWise Labs</Author>
	<ShortDescription>(REQUIRES 5.6+) This extension sets the X-Frame-Options header for HTTP requests to DENY which can prevent clickjacking.</ShortDescription>
	<Components>
		<HttpModuleDefinition SourceFile="XFrameOriginsHeaderModule.cs" MinProductVersionInclusive="5.6"/>
	</Components>
</ExtensionManifest>


And the XFrameOriginsHeaderModule.cs would contain:
Code:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading;
using System.Web;
using ScreenConnect;

public class XFrameOriginsHeaderModule : HttpModuleBase
{
	public override void OnBeginRequest(HttpContext context) {
		context.Response.AppendHeader("X-Frame-Options", "DENY");
	}
}


By default it's setting the header to DENY, you can change that within the OnBeginRequest method to whatever you want as defined here.
ScreenConnect Team
dickieong  
#3 Posted : Thursday, March 15, 2018 1:47:43 AM(UTC)
dickieong


Rank: Guest

Joined: 10/20/2017(UTC)
Posts: 5

Thanks: 1 times
Thanks for your reply.

Actually I want to know that is anyway to set the ScreenConnect web server to set Access-Control-Allow-Origin to our domain.

But I thank X-frame-options also can fix this problem.

For Manifest.xml and XFrameOriginsHeaderModule.cs, which folder should I put both files in?
Scott  
#4 Posted : Thursday, March 15, 2018 2:10:36 PM(UTC)
Scott


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,764
United States

Thanks: 3 times
Was thanked: 338 time(s) in 292 post(s)
The files would be created within an Extension, more information on this process can be found here.

Also, and I can't say that I've tested it, but you could just modify the OnBeginRequest to append the other header.

Code:

context.Response.AppendHeader("Access-Control-Allow-Origin", "ORIGIN_FILTER_HERE");
ScreenConnect Team
thanks 1 user thanked Scott for this useful post.
dickieong on 3/16/2018(UTC)
dickieong  
#5 Posted : Friday, March 16, 2018 6:12:51 AM(UTC)
dickieong


Rank: Guest

Joined: 10/20/2017(UTC)
Posts: 5

Thanks: 1 times
Thanks Scott,

Your answer help me to fix the problem
sitaram.nayak  
#6 Posted : Thursday, June 7, 2018 12:52:16 PM(UTC)
sitaram.nayak


Rank: Guest

Joined: 6/6/2018(UTC)
Posts: 2
India
Location: Bangalore

Hi Scott,

Need steps to set these extensions. I am not getting where will the two files need to be placed.
I followed the steps to install Extension Developer from https://docs.connectwise...ension_development_guide
But not getting what to do next.
We have the same security scan vulnerability
Insecure CORS configuration
Severity High
Reported by module Scripting (CORS_Audit.script)
Description
CORS (Cross-Origin Resource Sharing) defines a mechanism to enable client-side cross-origin requests. This application is
using CORS in an insecure way. The web application returns the following headers:
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: copy of the Origin header from request
In this configuration any website can issue requests made with user credentials and read the responses to these requests.
Impact
Any website can issue requests made with user credentials and read the responses to these requests.
Recommendation
Allow only selected, trusted domains in the Access-Control-Allow-Origin header.
References
CORS Security Considerations (http://www.w3.org/TR/cors/#security)
Affected items
/Services/PageService.ashx/GetGuestSessionInfo
Details
Access-Control-Allow-Origin: http://TVCqmkpj.com
Access-Control-Allow-Credentials: true
Request headers
POST /Services/PageService.ashx/GetGuestSessionInfo HTTP/1.1
Referer: https://remote.mmodal.com/
Origin: http://TVCqmkpj.com
X-Unauthorized-Status-Code: 403
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Content-Type: application/json
Accept: */*
Content-Length: 9
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept-Language: en-US,*
Host: remote.mmodal.com
Pragma: no-cache
Cache-Control: no-cache
[[],[],0]
sitaram.nayak  
#7 Posted : Friday, June 8, 2018 9:43:41 AM(UTC)
sitaram.nayak


Rank: Guest

Joined: 6/6/2018(UTC)
Posts: 2
India
Location: Bangalore

Can someone provide some help in this. We still have the same vulnerability detected even after following the instructions of setting up the extension.
Scott  
#8 Posted : Tuesday, June 12, 2018 12:13:18 PM(UTC)
Scott


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,764
United States

Thanks: 3 times
Was thanked: 338 time(s) in 292 post(s)
You can look at the code for a similar extension "X-Frame-Options" to see how it appends new headers to the web request. Basically, create an Extension containing a HttpModuleDefinition that looks similar to:

Code:

using System;
using System.Web;
using ScreenConnect;

public class AllowOriginHeaderModule: HttpModuleBase
{
	public override void OnBeginRequest(HttpContext context) {
		context.Response.AppendHeader("Access-Control-Allow-Origin", "ORIGIN_FILTER_HERE");
	}
}
ScreenConnect Team
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.