DX Unified Infrastructure Management

Hi Support,

I found that anyone can run get_sessions.jsp through the UMP and to get a list of connected users. Can i cancel it?

By the way, we can't log in to your support site, I hope you're fine.

my login to both support.nimsoft.com & support.broadcom.com is working. 
not familiar with get_sessions.jsp so will look into and provide an update later.

------------------------------
Support Engineer
Broadcom
------------------------------

Original Message:
Sent: 03-30-2020 04:08 AM
From: Solomon Melamed
Subject: get_sessions.jsp

Hi Support,

I found that anyone can run get_sessions.jsp through the UMP and to get a list of connected users. Can i cancel it?

By the way, we can't log in to your support site, I hope you're fine.

see https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=35708
If you are asking if you can disable this te answer is no, not currently.

------------------------------
Gene Howard
Principal Support Engineer
Broadcom
------------------------------

Original Message:
Sent: 03-30-2020 04:08 AM
From: Solomon Melamed
Subject: get_sessions.jsp

Hi Support,

I found that anyone can run get_sessions.jsp through the UMP and to get a list of connected users. Can i cancel it?

By the way, we can't log in to your support site, I hope you're fine.

This is a very serious information security breach
Original Message:
Sent: 03-30-2020 08:49 AM
From: Gene HOWARD
Subject: get_sessions.jsp

see https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=35708
If you are asking if you can disable this te answer is no, not currently.

------------------------------
Gene Howard
Principal Support Engineer
Broadcom

Original Message:
Sent: 03-30-2020 04:08 AM
From: Solomon Melamed
Subject: get_sessions.jsp

Hi Support,

I found that anyone can run get_sessions.jsp through the UMP and to get a list of connected users. Can i cancel it?

By the way, we can't log in to your support site, I hope you're fine.

The only way would be to rename the file
location
$\Nimsoft\probes\service\wasp\webapps\ROOT\jsp

This KB provides a query to get the same info:
Article Id: 34991
How can I find a list of users logged logged into UMP?
https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=34991

------------------------------
Support Engineer
Broadcom
------------------------------

Original Message:
Sent: 03-30-2020 08:53 AM
From: Solomon Melamed
Subject: get_sessions.jsp

This is a very serious information security breach
Original Message:
Sent: 03-30-2020 08:49 AM
From: Gene HOWARD
Subject: get_sessions.jsp

see https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=35708
If you are asking if you can disable this te answer is no, not currently.

------------------------------
Gene Howard
Principal Support Engineer
Broadcom

Original Message:
Sent: 03-30-2020 04:08 AM
From: Solomon Melamed
Subject: get_sessions.jsp

Hi Support,

I found that anyone can run get_sessions.jsp through the UMP and to get a list of connected users. Can i cancel it?

By the way, we can't log in to your support site, I hope you're fine.

Thanks
Original Message:
Sent: 03-30-2020 09:01 AM
From: David MICHEL
Subject: get_sessions.jsp

The only way would be to rename the file
location
$\Nimsoft\probes\service\wasp\webapps\ROOT\jsp

This KB provides a query to get the same info:
Article Id: 34991
How can I find a list of users logged logged into UMP?
https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=34991

------------------------------
Support Engineer
Broadcom

Original Message:
Sent: 03-30-2020 08:53 AM
From: Solomon Melamed
Subject: get_sessions.jsp

This is a very serious information security breach
Original Message:
Sent: 03-30-2020 08:49 AM
From: Gene HOWARD
Subject: get_sessions.jsp

see https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=35708
If you are asking if you can disable this te answer is no, not currently.

------------------------------
Gene Howard
Principal Support Engineer
Broadcom

Original Message:
Sent: 03-30-2020 04:08 AM
From: Solomon Melamed
Subject: get_sessions.jsp

Hi Support,

I found that anyone can run get_sessions.jsp through the UMP and to get a list of connected users. Can i cancel it?

By the way, we can't log in to your support site, I hope you're fine.

Hi Solomon, 
What the security issue here? 
You can only make this call and get a result if you are a valid UMP user and logged into the UMP which requires a valid user \ pass:


------------------------------
Daniel Blanco
Enterprise Tools Team Architect
DBlanco@alphaserveit.com
------------------------------

Original Message:
Sent: 03-30-2020 08:53 AM
From: Solomon Melamed
Subject: get_sessions.jsp

This is a very serious information security breach
Original Message:
Sent: 03-30-2020 08:49 AM
From: Gene HOWARD
Subject: get_sessions.jsp

see https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=35708
If you are asking if you can disable this te answer is no, not currently.

------------------------------
Gene Howard
Principal Support Engineer
Broadcom

Original Message:
Sent: 03-30-2020 04:08 AM
From: Solomon Melamed
Subject: get_sessions.jsp

Hi Support,

I found that anyone can run get_sessions.jsp through the UMP and to get a list of connected users. Can i cancel it?

By the way, we can't log in to your support site, I hope you're fine.

It works without a user and password
Original Message:
Sent: 03-30-2020 11:54 AM
From: Daniel Blanco
Subject: get_sessions.jsp

Hi Solomon,
What the security issue here?
You can only make this call and get a result if you are a valid UMP user and logged into the UMP which requires a valid user \ pass:

------------------------------
Daniel Blanco
Enterprise Tools Team Architect
DBlanco@alphaserveit.com

Original Message:
Sent: 03-30-2020 08:53 AM
From: Solomon Melamed
Subject: get_sessions.jsp

This is a very serious information security breach
Original Message:
Sent: 03-30-2020 08:49 AM
From: Gene HOWARD
Subject: get_sessions.jsp

see https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=35708
If you are asking if you can disable this te answer is no, not currently.

------------------------------
Gene Howard
Principal Support Engineer
Broadcom

Original Message:
Sent: 03-30-2020 04:08 AM
From: Solomon Melamed
Subject: get_sessions.jsp

Hi Support,

I found that anyone can run get_sessions.jsp through the UMP and to get a list of connected users. Can i cancel it?

By the way, we can't log in to your support site, I hope you're fine.

Original Message:
Sent: 03-30-2020 11:59 AM
From: Solomon Melamed
Subject: get_sessions.jsp

It works without a user and password
Original Message:
Sent: 03-30-2020 11:54 AM
From: Daniel Blanco
Subject: get_sessions.jsp

Hi Solomon,
What the security issue here?
You can only make this call and get a result if you are a valid UMP user and logged into the UMP which requires a valid user \ pass:

------------------------------
Daniel Blanco
Enterprise Tools Team Architect
DBlanco@alphaserveit.com

Original Message:
Sent: 03-30-2020 08:53 AM
From: Solomon Melamed
Subject: get_sessions.jsp

This is a very serious information security breach
Original Message:
Sent: 03-30-2020 08:49 AM
From: Gene HOWARD
Subject: get_sessions.jsp

see https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=35708
If you are asking if you can disable this te answer is no, not currently.

------------------------------
Gene Howard
Principal Support Engineer
Broadcom

Original Message:
Sent: 03-30-2020 04:08 AM
From: Solomon Melamed
Subject: get_sessions.jsp

Hi Support,

I found that anyone can run get_sessions.jsp through the UMP and to get a list of connected users. Can i cancel it?

By the way, we can't log in to your support site, I hope you're fine.

I happened to find out

Original Message:
Sent: 03-30-2020 12:04 PM
From: Solomon Melamed
Subject: get_sessions.jsp

Original Message:
Sent: 03-30-2020 11:59 AM
From: Solomon Melamed
Subject: get_sessions.jsp

It works without a user and password
Original Message:
Sent: 03-30-2020 11:54 AM
From: Daniel Blanco
Subject: get_sessions.jsp

Hi Solomon,
What the security issue here?
You can only make this call and get a result if you are a valid UMP user and logged into the UMP which requires a valid user \ pass:

------------------------------
Daniel Blanco
Enterprise Tools Team Architect
DBlanco@alphaserveit.com

Original Message:
Sent: 03-30-2020 08:53 AM
From: Solomon Melamed
Subject: get_sessions.jsp

This is a very serious information security breach
Original Message:
Sent: 03-30-2020 08:49 AM
From: Gene HOWARD
Subject: get_sessions.jsp

see https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=35708
If you are asking if you can disable this te answer is no, not currently.

------------------------------
Gene Howard
Principal Support Engineer
Broadcom

Original Message:
Sent: 03-30-2020 04:08 AM
From: Solomon Melamed
Subject: get_sessions.jsp

Hi Support,

I found that anyone can run get_sessions.jsp through the UMP and to get a list of connected users. Can i cancel it?

By the way, we can't log in to your support site, I hope you're fine.

It might vary by version but in 8.51 this query returned results. 

And agreed, this is kind of a gaping security issue - cuts in half the work it takes to guess a login. And it provides the remote IP making it much easier to spoof a connection.

Original Message:
Sent: 03-30-2020 12:05 PM
From: Solomon Melamed
Subject: get_sessions.jsp

I happened to find out

Original Message:
Sent: 03-30-2020 12:04 PM
From: Solomon Melamed
Subject: get_sessions.jsp

Original Message:
Sent: 03-30-2020 11:59 AM
From: Solomon Melamed
Subject: get_sessions.jsp

It works without a user and password
Original Message:
Sent: 03-30-2020 11:54 AM
From: Daniel Blanco
Subject: get_sessions.jsp

Hi Solomon,
What the security issue here?
You can only make this call and get a result if you are a valid UMP user and logged into the UMP which requires a valid user \ pass:

------------------------------
Daniel Blanco
Enterprise Tools Team Architect
DBlanco@alphaserveit.com

Original Message:
Sent: 03-30-2020 08:53 AM
From: Solomon Melamed
Subject: get_sessions.jsp

This is a very serious information security breach
Original Message:
Sent: 03-30-2020 08:49 AM
From: Gene HOWARD
Subject: get_sessions.jsp

see https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=35708
If you are asking if you can disable this te answer is no, not currently.

------------------------------
Gene Howard
Principal Support Engineer
Broadcom

Original Message:
Sent: 03-30-2020 04:08 AM
From: Solomon Melamed
Subject: get_sessions.jsp

Hi Support,

I found that anyone can run get_sessions.jsp through the UMP and to get a list of connected users. Can i cancel it?

By the way, we can't log in to your support site, I hope you're fine.

Username is displayed on this page. This is a serious problem.
Original Message:
Sent: 03-30-2020 12:20 PM
From: Garin Walsh
Subject: get_sessions.jsp

It might vary by version but in 8.51 this query returned results.

And agreed, this is kind of a gaping security issue - cuts in half the work it takes to guess a login. And it provides the remote IP making it much easier to spoof a connection.

Original Message:
Sent: 03-30-2020 12:05 PM
From: Solomon Melamed
Subject: get_sessions.jsp

I happened to find out

Original Message:
Sent: 03-30-2020 12:04 PM
From: Solomon Melamed
Subject: get_sessions.jsp

Original Message:
Sent: 03-30-2020 11:59 AM
From: Solomon Melamed
Subject: get_sessions.jsp

It works without a user and password
Original Message:
Sent: 03-30-2020 11:54 AM
From: Daniel Blanco
Subject: get_sessions.jsp

Hi Solomon,
What the security issue here?
You can only make this call and get a result if you are a valid UMP user and logged into the UMP which requires a valid user \ pass:

------------------------------
Daniel Blanco
Enterprise Tools Team Architect
DBlanco@alphaserveit.com

Original Message:
Sent: 03-30-2020 08:53 AM
From: Solomon Melamed
Subject: get_sessions.jsp

This is a very serious information security breach
Original Message:
Sent: 03-30-2020 08:49 AM
From: Gene HOWARD
Subject: get_sessions.jsp

see https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=35708
If you are asking if you can disable this te answer is no, not currently.

------------------------------
Gene Howard
Principal Support Engineer
Broadcom

Original Message:
Sent: 03-30-2020 04:08 AM
From: Solomon Melamed
Subject: get_sessions.jsp

Hi Support,

I found that anyone can run get_sessions.jsp through the UMP and to get a list of connected users. Can i cancel it?

By the way, we can't log in to your support site, I hope you're fine.

As of UIM/UMP v9.20, hitting that url, e.g.,  <ump>/jsp/get_sessions.jsp displays the message:

   "You must be logged in to access this page."

It does not reveal any user info without being logged in.

Steve


------------------------------
Support Engineer
Broadcom
US
------------------------------

Original Message:
Sent: 03-30-2020 12:26 PM
From: Solomon Melamed
Subject: get_sessions.jsp

Username is displayed on this page. This is a serious problem.
Original Message:
Sent: 03-30-2020 12:20 PM
From: Garin Walsh
Subject: get_sessions.jsp

It might vary by version but in 8.51 this query returned results.

And agreed, this is kind of a gaping security issue - cuts in half the work it takes to guess a login. And it provides the remote IP making it much easier to spoof a connection.

Original Message:
Sent: 03-30-2020 12:05 PM
From: Solomon Melamed
Subject: get_sessions.jsp

I happened to find out

Original Message:
Sent: 03-30-2020 12:04 PM
From: Solomon Melamed
Subject: get_sessions.jsp

Original Message:
Sent: 03-30-2020 11:59 AM
From: Solomon Melamed
Subject: get_sessions.jsp

It works without a user and password
Original Message:
Sent: 03-30-2020 11:54 AM
From: Daniel Blanco
Subject: get_sessions.jsp

Hi Solomon,
What the security issue here?
You can only make this call and get a result if you are a valid UMP user and logged into the UMP which requires a valid user \ pass:

------------------------------
Daniel Blanco
Enterprise Tools Team Architect
DBlanco@alphaserveit.com

Original Message:
Sent: 03-30-2020 08:53 AM
From: Solomon Melamed
Subject: get_sessions.jsp

This is a very serious information security breach
Original Message:
Sent: 03-30-2020 08:49 AM
From: Gene HOWARD
Subject: get_sessions.jsp

see https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=35708
If you are asking if you can disable this te answer is no, not currently.

------------------------------
Gene Howard
Principal Support Engineer
Broadcom

Original Message:
Sent: 03-30-2020 04:08 AM
From: Solomon Melamed
Subject: get_sessions.jsp

Hi Support,

I found that anyone can run get_sessions.jsp through the UMP and to get a list of connected users. Can i cancel it?

By the way, we can't log in to your support site, I hope you're fine.

This page shows the usernames of their IP addresses Don't you think it's serious?
Original Message:
Sent: 03-30-2020 01:21 PM
From: Stephen Danseglio
Subject: get_sessions.jsp

As of UIM/UMP v9.20, hitting that url, e.g.,  <ump>/jsp/get_sessions.jsp displays the message:

   "You must be logged in to access this page."

It does not reveal any user info without being logged in.

Steve


------------------------------
Support Engineer
Broadcom
US

Original Message:
Sent: 03-30-2020 12:26 PM
From: Solomon Melamed
Subject: get_sessions.jsp

Username is displayed on this page. This is a serious problem.
Original Message:
Sent: 03-30-2020 12:20 PM
From: Garin Walsh
Subject: get_sessions.jsp

It might vary by version but in 8.51 this query returned results.

And agreed, this is kind of a gaping security issue - cuts in half the work it takes to guess a login. And it provides the remote IP making it much easier to spoof a connection.

Original Message:
Sent: 03-30-2020 12:05 PM
From: Solomon Melamed
Subject: get_sessions.jsp

I happened to find out

Original Message:
Sent: 03-30-2020 12:04 PM
From: Solomon Melamed
Subject: get_sessions.jsp

Original Message:
Sent: 03-30-2020 11:59 AM
From: Solomon Melamed
Subject: get_sessions.jsp

It works without a user and password
Original Message:
Sent: 03-30-2020 11:54 AM
From: Daniel Blanco
Subject: get_sessions.jsp

Hi Solomon,
What the security issue here?
You can only make this call and get a result if you are a valid UMP user and logged into the UMP which requires a valid user \ pass:

------------------------------
Daniel Blanco
Enterprise Tools Team Architect
DBlanco@alphaserveit.com

Original Message:
Sent: 03-30-2020 08:53 AM
From: Solomon Melamed
Subject: get_sessions.jsp

This is a very serious information security breach
Original Message:
Sent: 03-30-2020 08:49 AM
From: Gene HOWARD
Subject: get_sessions.jsp

see https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=35708
If you are asking if you can disable this te answer is no, not currently.

------------------------------
Gene Howard
Principal Support Engineer
Broadcom

Original Message:
Sent: 03-30-2020 04:08 AM
From: Solomon Melamed
Subject: get_sessions.jsp

Hi Support,

I found that anyone can run get_sessions.jsp through the UMP and to get a list of connected users. Can i cancel it?

By the way, we can't log in to your support site, I hope you're fine.

Yes, I have to agree but you can upgrade to 9.20 so that its no longer an issue.

Steve

------------------------------
Support Engineer
Broadcom
US
------------------------------

Original Message:
Sent: 03-30-2020 02:49 PM
From: Solomon Melamed
Subject: get_sessions.jsp

This page shows the usernames of their IP addresses Don't you think it's serious?
Original Message:
Sent: 03-30-2020 01:21 PM
From: Stephen Danseglio
Subject: get_sessions.jsp

As of UIM/UMP v9.20, hitting that url, e.g.,  <ump>/jsp/get_sessions.jsp displays the message:

   "You must be logged in to access this page."

It does not reveal any user info without being logged in.

Steve


------------------------------
Support Engineer
Broadcom
US

Original Message:
Sent: 03-30-2020 12:26 PM
From: Solomon Melamed
Subject: get_sessions.jsp

Username is displayed on this page. This is a serious problem.
Original Message:
Sent: 03-30-2020 12:20 PM
From: Garin Walsh
Subject: get_sessions.jsp

It might vary by version but in 8.51 this query returned results.

And agreed, this is kind of a gaping security issue - cuts in half the work it takes to guess a login. And it provides the remote IP making it much easier to spoof a connection.

Original Message:
Sent: 03-30-2020 12:05 PM
From: Solomon Melamed
Subject: get_sessions.jsp

I happened to find out

Original Message:
Sent: 03-30-2020 12:04 PM
From: Solomon Melamed
Subject: get_sessions.jsp

Original Message:
Sent: 03-30-2020 11:59 AM
From: Solomon Melamed
Subject: get_sessions.jsp

It works without a user and password
Original Message:
Sent: 03-30-2020 11:54 AM
From: Daniel Blanco
Subject: get_sessions.jsp

Hi Solomon,
What the security issue here?
You can only make this call and get a result if you are a valid UMP user and logged into the UMP which requires a valid user \ pass:

------------------------------
Daniel Blanco
Enterprise Tools Team Architect
DBlanco@alphaserveit.com

Original Message:
Sent: 03-30-2020 08:53 AM
From: Solomon Melamed
Subject: get_sessions.jsp

This is a very serious information security breach
Original Message:
Sent: 03-30-2020 08:49 AM
From: Gene HOWARD
Subject: get_sessions.jsp

see https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=35708
If you are asking if you can disable this te answer is no, not currently.

------------------------------
Gene Howard
Principal Support Engineer
Broadcom

Original Message:
Sent: 03-30-2020 04:08 AM
From: Solomon Melamed
Subject: get_sessions.jsp

Hi Support,

I found that anyone can run get_sessions.jsp through the UMP and to get a list of connected users. Can i cancel it?

By the way, we can't log in to your support site, I hope you're fine.

I deleted the file from UMP
Original Message:
Sent: 03-30-2020 03:20 PM
From: Stephen Danseglio
Subject: get_sessions.jsp

Yes, I have to agree but you can upgrade to 9.20 so that its no longer an issue.

Steve

------------------------------
Support Engineer
Broadcom
US

Original Message:
Sent: 03-30-2020 02:49 PM
From: Solomon Melamed
Subject: get_sessions.jsp

This page shows the usernames of their IP addresses Don't you think it's serious?
Original Message:
Sent: 03-30-2020 01:21 PM
From: Stephen Danseglio
Subject: get_sessions.jsp

As of UIM/UMP v9.20, hitting that url, e.g.,  <ump>/jsp/get_sessions.jsp displays the message:

   "You must be logged in to access this page."

It does not reveal any user info without being logged in.

Steve


------------------------------
Support Engineer
Broadcom
US

Original Message:
Sent: 03-30-2020 12:26 PM
From: Solomon Melamed
Subject: get_sessions.jsp

Username is displayed on this page. This is a serious problem.
Original Message:
Sent: 03-30-2020 12:20 PM
From: Garin Walsh
Subject: get_sessions.jsp

It might vary by version but in 8.51 this query returned results.

And agreed, this is kind of a gaping security issue - cuts in half the work it takes to guess a login. And it provides the remote IP making it much easier to spoof a connection.

Original Message:
Sent: 03-30-2020 12:05 PM
From: Solomon Melamed
Subject: get_sessions.jsp

I happened to find out

Original Message:
Sent: 03-30-2020 12:04 PM
From: Solomon Melamed
Subject: get_sessions.jsp

Original Message:
Sent: 03-30-2020 11:59 AM
From: Solomon Melamed
Subject: get_sessions.jsp

It works without a user and password
Original Message:
Sent: 03-30-2020 11:54 AM
From: Daniel Blanco
Subject: get_sessions.jsp

Hi Solomon,
What the security issue here?
You can only make this call and get a result if you are a valid UMP user and logged into the UMP which requires a valid user \ pass:

------------------------------
Daniel Blanco
Enterprise Tools Team Architect
DBlanco@alphaserveit.com

Original Message:
Sent: 03-30-2020 08:53 AM
From: Solomon Melamed
Subject: get_sessions.jsp

This is a very serious information security breach
Original Message:
Sent: 03-30-2020 08:49 AM
From: Gene HOWARD
Subject: get_sessions.jsp

see https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=35708
If you are asking if you can disable this te answer is no, not currently.

------------------------------
Gene Howard
Principal Support Engineer
Broadcom

Original Message:
Sent: 03-30-2020 04:08 AM
From: Solomon Melamed
Subject: get_sessions.jsp

Hi Support,

I found that anyone can run get_sessions.jsp through the UMP and to get a list of connected users. Can i cancel it?

By the way, we can't log in to your support site, I hope you're fine.

In your production environment? Did you rename the file location or delete the get_sessions.jsp file?

Steve

------------------------------
Support Engineer
Broadcom
US
------------------------------

Original Message:
Sent: 03-30-2020 03:26 PM
From: Solomon Melamed
Subject: get_sessions.jsp

I deleted the file from UMP
Original Message:
Sent: 03-30-2020 03:20 PM
From: Stephen Danseglio
Subject: get_sessions.jsp

Yes, I have to agree but you can upgrade to 9.20 so that its no longer an issue.

Steve

------------------------------
Support Engineer
Broadcom
US

Original Message:
Sent: 03-30-2020 02:49 PM
From: Solomon Melamed
Subject: get_sessions.jsp

This page shows the usernames of their IP addresses Don't you think it's serious?
Original Message:
Sent: 03-30-2020 01:21 PM
From: Stephen Danseglio
Subject: get_sessions.jsp

As of UIM/UMP v9.20, hitting that url, e.g.,  <ump>/jsp/get_sessions.jsp displays the message:

   "You must be logged in to access this page."

It does not reveal any user info without being logged in.

Steve


------------------------------
Support Engineer
Broadcom
US

Original Message:
Sent: 03-30-2020 12:26 PM
From: Solomon Melamed
Subject: get_sessions.jsp

Username is displayed on this page. This is a serious problem.
Original Message:
Sent: 03-30-2020 12:20 PM
From: Garin Walsh
Subject: get_sessions.jsp

It might vary by version but in 8.51 this query returned results.

And agreed, this is kind of a gaping security issue - cuts in half the work it takes to guess a login. And it provides the remote IP making it much easier to spoof a connection.

Original Message:
Sent: 03-30-2020 12:05 PM
From: Solomon Melamed
Subject: get_sessions.jsp

I happened to find out

Original Message:
Sent: 03-30-2020 12:04 PM
From: Solomon Melamed
Subject: get_sessions.jsp

Original Message:
Sent: 03-30-2020 11:59 AM
From: Solomon Melamed
Subject: get_sessions.jsp

It works without a user and password
Original Message:
Sent: 03-30-2020 11:54 AM
From: Daniel Blanco
Subject: get_sessions.jsp

Hi Solomon,
What the security issue here?
You can only make this call and get a result if you are a valid UMP user and logged into the UMP which requires a valid user \ pass:

------------------------------
Daniel Blanco
Enterprise Tools Team Architect
DBlanco@alphaserveit.com

Original Message:
Sent: 03-30-2020 08:53 AM
From: Solomon Melamed
Subject: get_sessions.jsp

This is a very serious information security breach
Original Message:
Sent: 03-30-2020 08:49 AM
From: Gene HOWARD
Subject: get_sessions.jsp

see https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=35708
If you are asking if you can disable this te answer is no, not currently.

------------------------------
Gene Howard
Principal Support Engineer
Broadcom

Original Message:
Sent: 03-30-2020 04:08 AM
From: Solomon Melamed
Subject: get_sessions.jsp

Hi Support,

I found that anyone can run get_sessions.jsp through the UMP and to get a list of connected users. Can i cancel it?

By the way, we can't log in to your support site, I hope you're fine.

I renamed the file and it's a production environment
Original Message:
Sent: 03-30-2020 03:39 PM
From: Stephen Danseglio
Subject: get_sessions.jsp

In your production environment? Did you rename the file location or delete the get_sessions.jsp file?

Steve

------------------------------
Support Engineer
Broadcom
US

Original Message:
Sent: 03-30-2020 03:26 PM
From: Solomon Melamed
Subject: get_sessions.jsp

I deleted the file from UMP
Original Message:
Sent: 03-30-2020 03:20 PM
From: Stephen Danseglio
Subject: get_sessions.jsp

Yes, I have to agree but you can upgrade to 9.20 so that its no longer an issue.

Steve

------------------------------
Support Engineer
Broadcom
US

Original Message:
Sent: 03-30-2020 02:49 PM
From: Solomon Melamed
Subject: get_sessions.jsp

This page shows the usernames of their IP addresses Don't you think it's serious?
Original Message:
Sent: 03-30-2020 01:21 PM
From: Stephen Danseglio
Subject: get_sessions.jsp

As of UIM/UMP v9.20, hitting that url, e.g.,  <ump>/jsp/get_sessions.jsp displays the message:

   "You must be logged in to access this page."

It does not reveal any user info without being logged in.

Steve


------------------------------
Support Engineer
Broadcom
US

Original Message:
Sent: 03-30-2020 12:26 PM
From: Solomon Melamed
Subject: get_sessions.jsp

Username is displayed on this page. This is a serious problem.
Original Message:
Sent: 03-30-2020 12:20 PM
From: Garin Walsh
Subject: get_sessions.jsp

It might vary by version but in 8.51 this query returned results.

And agreed, this is kind of a gaping security issue - cuts in half the work it takes to guess a login. And it provides the remote IP making it much easier to spoof a connection.

Original Message:
Sent: 03-30-2020 12:05 PM
From: Solomon Melamed
Subject: get_sessions.jsp

I happened to find out

Original Message:
Sent: 03-30-2020 12:04 PM
From: Solomon Melamed
Subject: get_sessions.jsp

Original Message:
Sent: 03-30-2020 11:59 AM
From: Solomon Melamed
Subject: get_sessions.jsp

It works without a user and password
Original Message:
Sent: 03-30-2020 11:54 AM
From: Daniel Blanco
Subject: get_sessions.jsp

Hi Solomon,
What the security issue here?
You can only make this call and get a result if you are a valid UMP user and logged into the UMP which requires a valid user \ pass:

------------------------------
Daniel Blanco
Enterprise Tools Team Architect
DBlanco@alphaserveit.com

Original Message:
Sent: 03-30-2020 08:53 AM
From: Solomon Melamed
Subject: get_sessions.jsp

This is a very serious information security breach
Original Message:
Sent: 03-30-2020 08:49 AM
From: Gene HOWARD
Subject: get_sessions.jsp

see https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=35708
If you are asking if you can disable this te answer is no, not currently.

------------------------------
Gene Howard
Principal Support Engineer
Broadcom

Original Message:
Sent: 03-30-2020 04:08 AM
From: Solomon Melamed
Subject: get_sessions.jsp

Hi Support,

I found that anyone can run get_sessions.jsp through the UMP and to get a list of connected users. Can i cancel it?

By the way, we can't log in to your support site, I hope you're fine.