Page 1 of 1

Query String Parameter in HTTPS Request

Posted: Thu Jan 24, 2019 12:20 pm
by yasanthau

Upon a vulnerability scan, it is requested to fix the above issue on Zimbra Server (8.8.7_GA_1964.RHEL7_64_20180223145016 RHEL7_64 FOSS edition). Please refer the details below.

Sensitive information is exposed in transit between the client and the server via URL query string
parameters. URLs may be stored or viewed in multiple places during and after a request is made
to the server:
• If the URL is requested by clicking a link or manually entering the address, the query string
can be seen in the browser address bar
• URLs are often logged in multiple places including the browser history, proxy logs, and
web server logs
• The query string will be sent as part of the URL if the URL is passed to another site via the
Referer header
• URLs sent to the user as part of an HTML page may be cached on disk
An attacker who gains access to any location where URLs are stored will be able to view sensitive
information passed via the query string. Depending on the nature of the information, a malicious
user may obtain personally identifiable information (PII), private user data or information which
would allow user impersonation (in the event of credential or session identifier exposure).
Potential access vectors may include but are not limited to:
• Browser history, proxy logs, web server logs, etc.
• Utilizing other attacks (such as cross-site scripting) to extract sensitive information from
the source of a page containing links to URLs with sensitive information in the query string
• Shoulder-surfing the URL in a user's browser address bar

Sensitive information should be passed between the client and server via POST parameters and
not in any portion of the URL.

Any solution to this issue is highly appreciated.