iDempiere 7.1 - Web Penetration Testing - Vulnerabilites detected

[Jaurès FOUTE]

Hello Community,

To evaluate the security level of iDempiere 7.1 one of our Customer decide to perform intrusion tests. Below are the details of the  8 vulnerabilities identified.

1. Missing security headers
   
2. Cookie Not Marked as HttpOnly
   
3. Out-of-date Version (jQuery)
   
4. Technical information disclosure
   
5. Directory Listing enabled
   
6. Code Exposure via Directory Listing
   
7. Out-of-date Version (Jetty Web Server)
   
8. SSL Security issue

Details of the Vulnerabilities are attached.

BTW: The results obtained after the completion of the penetration tests allow to identify a general level of security: Medium.

Any solution or how can be solve all vulnerabilities mentioned are welcome. 

Thank you in advance

[Carlos Antonio Ruiz Gomez]

Thanks Jaurès for sharing those findings.

The recommended setup of iDempiere is to avoid exposing directly jetty to internet, but do it through an nginx server as a proxy.

There is also a recommended configuration here

https://wiki.idempiere.org/en/Proxy_iDempiere_Through_Nginx

which takes care of some of those findings.

It would be nice if the same pentest can be conducted with nginx as a proxy and with a release-10 iDempiere, release-7.1 is too old.

Regards,

Carlos Ruiz

El 11/6/23 a las 20:25, Jaurès FOUTE escribió:

--

[Jaurès FOUTE]

Hello Carlos,

Thanks for your feedback. But as far as i know, proxy can't solves all this issues. 

As example, vulnerabilities 5 and 6 are also observed on the https://demo.globalqss.com/ like shown below.

There is a way to hide some information explode in the report ?

[Jaurès FOUTE]

+ Vulnerability 3 

[Carlos Antonio Ruiz Gomez]

The three demo sites are community sites, they are not configured for security.

Regards,

Carlos Ruiz

El 12/6/23 a las 14:37, Jaurès FOUTE escribió:

+ Vulnerability 3 

Le lundi 12 juin 2023 à 13:15:21 UTC+1, Jaurès FOUTE a écrit :

Hello Carlos,

Thanks for your feedback. But as far as i know, proxy can't solves all this issues. 

As example, vulnerabilities 5 and 6 are also observed on the https://demo.globalqss.com/ like shown below.

[Jaurès FOUTE]

Okay Carlos. If I understand you correctly, I just need to install iDempiere under the Proxy ?

[Carlos Antonio Ruiz Gomez]

I'm not saying that solves all the problems, just suggesting to run the pentest on a release-10 server protected in this recommended way.

The security issues raised can be worked after that.

Of course, security issues in release-7.1 can be worked too, but that is not a community maintained version, so it could be managed on a different way.

Regards,

Carlos Ruiz

El 12/6/23 a las 15:16, Jaurès FOUTE escribió:

--

[Jaurès FOUTE]

Okay. Unfortunately,  we didn't have Release 10 installed.
It's possible to have a link of release 10 that we can work on that ?

[Carlos Antonio Ruiz Gomez]

Jaurès, I'll try to setup a temporary instance in AWS for the tests.

Improving the security is a must for the project.

I'll let you know the URL and credentials when done.

Regards,

Carlos Ruiz

El 15/6/23 a las 0:07, Jaurès FOUTE escribió:

[Jaurès FOUTE]

Okay, Well received, 

[Carlos Antonio Ruiz Gómez]

Hi Jaurès, I created this server:

https://pentest.idempiere.org/webui/index.zul

For this pentest maybe you don't need it, but if you need login credentials, please let me know.

Regards,

Carlos Ruiz

[Jaurès FOUTE]

I will revert you next week with the result of test, Pls

[Carlos Antonio Ruiz Gomez]

Hi Jaurès, I stopped the AWS instance, please let me know if you need it again.

Regards,

Carlos Ruiz

[Jaurès FOUTE]

Hello Carlos,

Okay, It's okay for me. 

The report attached on this mail.

Globally all is fine.