We were informed that there is a client-side desync vulnerability associated with the following URL on our PA server: https://xxx.xxx.xxx.xxx:81/shared/pa_report.css Is there a way to disable the embedded HTTP server? Or is there a way to mitigate this vulnerability? Please advise - thank you. asked 10 Feb '23, 15:28 5tafd444 |
We've just pushed out an update for this in version 9.1.0.9 available at: https://www.poweradmin.com/products/server-monitoring/downloads/preview/ To answer the question, you can disable the embedded HTTPS server by setting HKLMsoftwarePAServerMonitor ReportHTTPPort = 0 However, be aware that the Console, helper application, Satellites, Inventory Collector (System Details) and more all communicate through that HTTPS port so this this will have an impact on a number of things. answered 13 Feb '23, 15:00 Doug ♦♦ |