Community
Showing results for 
Search instead for 
Do you mean 
Reply

Sage ACT! Premium 2012 Security Issues

New Member
Posts: 2
Country: USA

Sage ACT! Premium 2012 Security Issues

SInce this upgrade was purchased last year our agency has been trying to move it into our production environment. The issue that we are having is that before any of our web based applications can be moved into the production environment they must be scanned using Cenzic Hailstorm. We are currently at Version 14.2.209.0 and the score that the application has received in a very high score of 4151. We have tried to work with the company to no avail, we decided to try and come over to the iser community to see if anyone else had this issue. The issues that Cenzic has identified are:

Non-SSL Form / Non-SSL Password - These are only issues if the site being scanned (in test mode) was supposed to be in SSL but failed for whatever reason.  Since this was a scan of a test location, SSL was probably not set up, so this isn't a concern.

 

HTML and Javascript Comments - Please review the comments found in the report and determine if there are any comments that are accessible and need to be removed.  If the comments are irrelevant or you're unable to remove them, don't worry about it, as this isn't a major concern.

 

Form Caching / Cross-Frame Scripting - Adding the following code to the <HEAD> section of the html on your pages / include file / master page:

 

<META HTTP-EQUIV="Pragma" CONTENT="no-cache"> <META HTTP-EQUIV="Cache-Control" CONTENT="no-cache,no-Store"> <SCRIPT language="JAVASCRIPT">

<!--

if (top.frames.length!=0)

top.location=self.document.location;

// -->

</SCRIPT>

 

This should eliminate all of the Form Caching and Cross-Frame scripting issues.

 

 

Cookie Vulnerabilities - Add this code to your web.config file:

 

<httpCookies httpOnlyCookies="true" requiressl="true"  />

 

This should resolve this issue.

 

 

Web Server Vulnerabilities - This isn't something that we need to be concerned about from an application perspective as this vulnerability simply identifies the type of web server the application is running on and lists it's potential vunlerabilities

Thank you for any help that you may be able to provide..