Menu

Search

GlobalSCAPE Knowledge Base


PTC and WTC trigger security violations


GlobalSCAPE 5
EFT Express (SMB) & Enterprise

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT Server, v6.4 and later

SYMPTOM

PTC and WTC trigger security violations

RESOLUTION

To reduce the likelihood of these false alarms, the Javascript for the clients can be minified to remove comments.

MORE INFORMATION

Occasionally security scanners will flag certain key words used in Javascript comments as security violations for both the Plain Text Client (PTC) and the Web Transfer Client (WTC). Every effort has been made to remove anything in the source code that can cause spurious scanner hits. However, as scanners and browsers are updated and new scanners come onto the market, the PTC and WTC Javascript code may produce fresh false alarms. To reduce the likelihood of these false alarms the Javascript for the clients can be minified to remove comments and any spurious security hits associated with them.

The web client sources installed with EFT Server have not been minified, but EFT Server administrators can minify the code themselves. The tool YUI Compressor, version 2.4.7, has been used to remove comments from the WTC/PTC primary Javascript source files, and the resulting source code has been tested to ensure their behavior has not changed. Most Javascript minifiers will, by default, obfuscate the code in addition to removing comments and whitespace. If the purpose of the minification is to only remove comments, command line parameters can be used to turn off obfuscation. Here is an example usage of YUI Compressor that does not obfuscate the code:

java -jar yuicompressor-2.4.7.jar --nomunge --disable-optimizations --line-break 0 EFTWebClientLogic.js -o EFTWebClientLogic-min.js

The above example demonstrates minifying the primary Javascript file for the WTC. The resulting file, EFTWebClientLogic-min.js, will be devoid of comments and whitespace, but still mildly readable since no obfuscation was performed. It is a good idea to back up files before they are minified since once minified they cannot be restored.

To use this minified version of the file

  1. In the folder from which the WTC/PTC is served, rename the current copy of the file (EFTWebClientLogic.js) to save it, in case you need to go back. For example, name it EFTWebClientLogic_unmini.js.
  2. Copy the -min file into the folder and rename it to EFTWebClientLogic.js.
  3. Open a browser and go to the WTC/PTC to see if you still get the security violations.

Also In This Category


On a scale of 1-5, please rate the helpfulness of this article


Not Helpful
Very Helpful
Optionally provide private feedback to help us improve this article...

Thank you for your feedback!


Comments require login or registration.

Details
Last Modified: 7 Years Ago
Last Modified By: GlobalSCAPE 5
Type: ERRMSG
Article not rated yet.
Article has been viewed 382 times.
Options
Find Similar