I observed that the web tool project I'm working on has a potential vulnerability, where a well-forged http form request can make the internal server execute arbitrary shell command.
However, the web tool page is only accessible to my company's internal network and users. Although the attacker can still make a malicious page which forges the request and trap our internal user into clicking on the malicious page, it seems to be difficult for attacker to figure out a well-forged http request without direct access to the webpage. In such case, is that still a serious vulnerability which needs to be solved?
Sorry I'm not very familiar with security. Please let me know if further information is needed.
答案 0 :(得分:1)
这通常是一个判断电话,由公司政策处理。
如果您的公司规模较小,可以信任整个员工,并确保该应用程序永远不会在公共场合使用,如果难以解决,您可以选择不解决此问题修复。
如果其中任何一种情况不是,那么您应该修复漏洞。通常,以前的内部应用程序变得公开,漏洞被遗忘。此外,请考虑内部人员可能被解雇并使用此漏洞进行报复。
修复漏洞总是更安全。明智地做出权衡。