Gateway Administration Console (Web UI) Improvements

The ESF Gateway Administration Console features that prevent security breaches are described in the following sections.

Arbitrary File Write

The ESF Gateway Administration Console allows to execute shell scripts on the device directly from the Web UI, it is also possible to upload a ZIP file that will be extracted by the device to the working directory of the user script.

ESF sanitises extracted file names to block directory traversal attacks and guard against security attacks through file uploads using custom and malicious ZIP files.

ESF protects against DOS attacks through file uploads by providing the ability to configure a maximum size of the extracted content of 100 MB and a maximum number of 1024 extracted files. These settings may be configured in the kura.properties file using the following parameters:

  • file.command.zip.max.size (size specified in MB)

  • file.command.zip.max.number

XSS on User and System Data

ESF sanitises​ data to guard against XSS attacks and checks data that is fetched from the operating system.

Hidden Web Passwords

ESF prevents the transfer of password values to the client browser. This feature may also defend against brute force attacks based on knowledge of password size.

XSRF (Cross-site Request Forgeries) Attacks

ESF checks all Gateway Administration Console interactions using XSRF tokens. These single-use tokens are session related and are checked prior to every user interaction on the device side.