Question
Ministry of Education
SA
Last activity: 27 Jul 2022 7:25 EDT
Security issue - Hackers are able to get the active connection list by using PRTraceServlet URL
We don't want to disable the PRTraceServlet URL as it is one of the important tool to trace critical issues in higher envs.
Users are trying to hit this URL to get the connection list
/prweb/PRTraceServlet?pzDebugRequest=GetConnectionList
Is there any way to restrict this URL only to developers?
Updated: 27 Jul 2022 7:25 EDT
Pegasystems Inc.
GB
@MalleshM3137 Have you already implemented urlencryption + submitobfuscatedurl DSS settings to mitigate these types of security concerns?
Understanding cross-site scripting
In 7.3.1 there is hotfix HFIX-64523 (vulnerability using Remote tracer) we can enable/disable Remote Tracer on a DSS setting. To perform remote node tracing the requestor need to have the following access privilege to access the connectionlist. "TraceOptionsConnectView"
Please log a 'For Something I need' HF- type request ticket via My Support Portal if you do not yet have this hotfix installed on your environment.
In 8.5 and later versions there is not security vulnerability in tracer because
1.) The getConnectionList will only worked if user has privilege TraceOptionsConnectView which is an administrative privilege.
2.) Pega rules cookies are encrypted so a user can not hijack another user session using requestor ID
So we do not need to add disable/enable remote tracer in these versions.
Perhaps other users can comment on ways to disable specific URL entry parameters.