Comment by jiggawatts
8 hours ago
Speaking of ArcGIS and reverse proxies, they were circulating a single-file .ashx script for about a decade that ended up being the single worst security breach at several large government customers of mine… ever. By a mile.
For the uninitiated: this proxy was a hack to work around the poor internal architecture of ArcGIS enterprise, and to make things “work” it took the target server URL as a query parameter.
So yes, you guessed right: any server. Any HTTP to HTTPS endpoint anywhere on the network. In fact you could hack TCP services too if you knew a bit about protocol smuggling. Anonymously. From the Internet. Fun!
I’m still finding this horror embedded ten folders deep in random ASP.NET apps running in production.
I'm acutely aware of that.
The folks who hired me didn't realize I was also a hacker. I did my due diligence as well, and this was more 10.3 . And yes, it was terrible.
I know that FEMA and EPA both are running their public portals as 10.8 , which is really bad. There's usually between 8-12 critical (cvss 3.0 9 or greater) per version bump. Fuck if I know how federal acquisitions even allow this, but yeahhh.
Also, on Hosting Server install, theres configs with commented out internal ticket numbers. You search this on google, and you'll find out 25% of the IPs that hit it are Chinese. Obviously, for software thats used predominantly in the US government, a whole bunch of folks in opposition to us are writing it. And damn, the writing quality is TERRIBLE.
basically, if you have to run ArcGIS enterprise, keep it internal only if at all possible. Secure Portal operation is NOT to be trusted. And if you do need a public API, keep the single machine in DMZ, or better yet, isolated on a cloud. Copy the data as a bastion, like a S3 bucket or rsync, or something. Dont connect it to your enterprise.
Oh and even with 11.5 , there are a multitude of hidden options you can set with the config for WebAdapter, including full debug. Some even save local creds like for portaladmin.
Oh yeah, and if you access the Portal postgres DB, and query the users table, you'll find 20 or so Esri accounts that are intentionally hidden from the Users list in portal on :7443 . The accounts do appear disabled... But, why are they even there to begin with?
This is horrible!
It's sadly the norm for monopolistic industry-specific software. You see the same lack of due diligence in SCADA software and the like.