1
 Follower
2
 Likes

Restrict Access to "Service Centre" by IP Address

Service Center
New

A number of pages within Service Centre are accessible to unauthenticated users and reveal information about the OutSystems application, which poses a security risk. Best practice is to disclose as little information as possible to attackers.

The following information was extracted by sending a request to the ‘/ServiceCenter/GeneralReportError.aspx’ page: Service Center Version, InstallerId, License Edition, Windows Version, Serial number, Activation Code, and Application Server:.

In addition to this, the ‘Serial’ parameter could be extracted by sending a SOAP request to the ‘GetPlatformInfo’ method of the ‘/ServiceCenter/OutSystemsPlatform.asmx’ web service.

The ‘HubServerInstallerId’ value was found by sending a SOAP request to the ‘GetPropertiesForHandshake’ method of following web services:

  • /ServiceCenter/Solutions.asmx
  • /ServiceCenter/IntegrationStudio.asmx
  • /ServiceCenter/ServiceStudio.asmx

The ‘GetInstallationKind’ method of the ‘/ServiceCenter/ServiceStudio.asmx’ web service and ‘Capabilities_Get’ of ‘/ServiceCenter/PlatformServices_v8_0_0.asmx’ could also show information about how the application has been set up.

As the ‘/ServiceCenter/LoginIntegratedAuthentication.aspx’ page provides users with an NTLM authentication, the following information could be also extracted from the server: Port, State, Service, Target Name, NetBIOS name, DNS name.

Service Centre should therefore provide a security configuration setting that can whitelist specific IPs allowed to access this module on the platform.

Created on 17 Dec 2018
Comments (6)

Hi Ross,

Does your feedback relate to an OutSystems cloud environment?

Just tested and I get the same thing in the Outsystems cloud environment. A bit concerning that it shows the activation code and serial number to completely unauthorized users.

Hi John and Ross,


I understand your concerns. Actually, OutSystems has a configuration for the platform installation that allows defining an Internal Network, this is a setting that you can also use for your own applications https://success.outsystems.com/Documentation/11/Developing_an_Application/Secure_the_Application/Restrict_Access_to_an_Internal_Network

By default, all management consoles are defined as Internal Only and this setting is defined for on-prem installations in the Configuration Tool and for Cloud it needs to be requested to our support https://www.outsystems.com/whats-new/internal-network-officially-available/.

Regards

Sounds like the REAL issue is that these pages & services should require authentication in the first place?

J.Ja

Thanks, André. Since we're using the cloud environment, I'll ask Support to create an Internal Network for us, but I support Justin's comment that some of these pages/services should only be available to authenticated users.

Changed the category to Service Center


views
151
Followers
1