Internal Access Only security issue

Internal Access Only security issue

  

Hello all,


Has anybody had to deal with having an "Internal Access Only" configuration for Service Center but not using HTTPS?

The security problem I'm having is that, I've configured Service Center for internal access (as well as other applications), but I can still bypass that from outside the network by sending in the header "X-Forwarded-For: 127.0.0.1" on the request. And since I'm not using HTTPS, that can compromise security.


How should I resolve this problem without using HTTPS? Any ideas?


Thanks in advance.

Hello Gonçalo,

You should not be able to bypass Internal Access with X-Forwarded-For header unless the request comes from a trusted proxy address.

Could you let us know how  you have your Internal Network configured, and the IP address of the machine making the request?

Best regards,

Ricardo Silva

Hello Ricardo,


The machine making the request is from another network, completely outside of our customers network. So, no trusted proxies.

The internal network has the usual 127.0.0.1 and the customers network IPs. Should I open a support case?


regards

Given the kind of information that I expect to be exchanged, yes. I believe you should follow up by opening a support case.

Solution

Hello,

Just to give some closure to this subject, Gonçalo has indeed identified a security flaw in our Internal Network feature. It affects only some revisions of 9.1 (particularly 9.1.600.0+). The next revision of 9.1 which is due in a few weeks, pending internal testing, will have this issue fixed.

In the meantime, there is a workaround for the issue which you can apply immediately.

You can find more information (including the workaround) in this KB entry.

Best regards,

Ricardo Silva

Solution