Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

15
Replies
749
Views
DendiA71 Member since 2016 10 posts
PT Bank Sinarmas
Posted: Nov 24, 2017
Last activity: Feb 9, 2018
Closed
Solved

Security issue when publish on internet

Hi All,

I have plan to publish Pega System in the internet connection, is there any security issue about this ?
Because i have try to change pega url with xss scripting, it's showing like in attachment ?
How can I solve that ?

Thanks

Brgds,

Dendi

***Moderator Edit: Vidyaranjan | Updated SR details***

To see attachments, please log in.
Security
Support Case Created

Accepted Solution

Posted: 7 years ago

Upon reviewing the associated SR, I see that the resolution was as follows. Please do this if you are having the same trouble:

Add below DSS in Designer Studio and prconfig.xml.

DSS:

Pega-Engine: Security/CSRF/secureall = true
Pega-Engine: Security/CSRF/mitigation = true

Prconfig.xml:

< env name="security/urlaccessmode" value="deny" />
< env name="initialization/ErrorOnInvalidThreadName" value="true" /> 

A server restart is required after making these changes 

To see attachments, please log in.
Posted: 7 years ago

Hi,

The easiest way to avoid this is to only use autogenerated UI rules.If you must use a nonautogenerated rule, always ensure the value has been properly filtered and escaped before displaying it back to the user.

To see attachments, please log in.
Posted: 7 years ago

Hi,

 

My plan is only open internet connection to Pega Application Server.

And when user want to access the application, he/she must be login using default pega system login form.

Is there additional action to do in Pega System when publish to internet for this security issue ?

 

Brgds,

Dendi A

To see attachments, please log in.
Posted: 7 years ago

Hi Dendi,

For the original issue, please refer to the following article:

https://docs-previous.pega.com/secu0005-alert-thread-name-url-contains-invalid-characters

Show More

Hi Dendi,

For the original issue, please refer to the following article:

https://docs-previous.pega.com/secu0005-alert-thread-name-url-contains-invalid-characters

You would need to set <env name="initialization/ErrorOnInvalidThreadName" value="true" />


Show Less
To see attachments, please log in.
Posted: 7 years ago

Hi 

You can try giving the following DSS setting. 

Pega-Engine - prconfig/initialization/erroroninvalidthreadname/default -> true
Pega-Engine - Security/CSRF/secureall -> true
Pega-Engine - Security/CSRF/mitigation -> True

Thank you

Anuj

To see attachments, please log in.

Accepted Solution

Posted: 7 years ago

Upon reviewing the associated SR, I see that the resolution was as follows. Please do this if you are having the same trouble:

Add below DSS in Designer Studio and prconfig.xml.

DSS:

Pega-Engine: Security/CSRF/secureall = true
Pega-Engine: Security/CSRF/mitigation = true

Prconfig.xml:

< env name="security/urlaccessmode" value="deny" />
< env name="initialization/ErrorOnInvalidThreadName" value="true" /> 

A server restart is required after making these changes 

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice