Summary

Is web page URL change a potential vulnerability as reported by Nessus scan?

Question

One of our customers scanned their software products with Nessus plugin and it reported a potential vulnerability for the FNP 11.14.1.3 lmadmin web server that they deliver with their products. Basically, this plugin looks for any changes to a web page when the URL has new parameters added like admin, debug, or test with a value of true. When admin=true is submitted to the lmadmin web server, the resulting webpage is slightly different which the Nessus plugin assumes is a vulnerability. Is that the case?

Answer

There is no vulnerability here. The "admin" URL parameter is handled by lmadmin in such a way that the HTTP client (or browser) has used it to indicate the license administration tab ("System Information"/"User Configuration"/"Alert Configuration"/"Server Configuration"/"Vendor Daemon Configuration") which has to be displayed. (It is not used to indicate whether the login is in administrator mode or not.)

When the HTTP client provides a value for the "admin" URL parameter, it gets used by lmadmin to form the request URL for the "Administration" link. If the HTTP client gives an invalid value like "true" for the "admin" URL parameter, the "Administration" link in the web-page returned by lmadmin will point to something like "http:serverName:port/true?vendor=vendorName&licenseTab=&selected=". However, since "/true" does not map to any valid administration tab, in this case, lmadmin will return an error page saying "The page you requested on Lmadmin cannot be found." upon clicking that link; but there will not be any exposure of unintended or additional functionality. Also, lmadmin's configuration (which is persisted using the "conf/server.xml" file) is in no way affected by that malformed HTTP request (that had a value of "true" for the "admin" URL parameter).