Section 3.15 of the ServiceNow Instance Hardening document describes a specific compliance vulnerability recommendation. This vulnerability is described as "Privacy on Client-Callable Script Includes".
This article will briefly describe how to determine if a particular ServiceNow instance might be susceptible to this vulnerability and how to to fix the vulnerability if is found on a particular instance.
Reviewing this particular vulnerability in a list of potential vulnerability checks on an instance can be somewhat confusing as it may be unclear as to whether a particular instance may actually be susceptible to this vulnerability as described in the Instance Hardening guide.
However, the vast majority of instances will not be exposed to this vulnerability and will thus not need to make any changes to the instance.
The description of the vulnerability and the text on how to resolve it as given in the checklist describes a specific property (glide.script.ccsi.ispublic) which should be checked for on the instance. However, one point that should be kept in mind is that many system properties that an instance might recognize have a default value for a specific System Property if that property is not found on the instance. This default value applies to the System Property which is considered for the use of public pages calling Client Callable Script Include records. Thus when the glide.script.ccsi.ispublic property is not found on an instance, the system applies the default value of this property (false) to this property. A value of false for this property is thus the secure or hardened version of the property and thus prevents this access to client callable script includes to any public pages.
Thusly, this hardening check should only occur on an instance in which the glide.script.ccsi.ispublic was explicitly added to the instance and set to a value of true. In those cases, the instance will allow the calling of Script Includes with the "Client Callable" option selected for that Script Include from a public UI Page found on that instance. In those cases, in order to correct the issue as necessary, the steps in the following section should be applied to the instance.
To remove this potential vulnerability, if found, there are two methods that can be used. Since this vulnerability will only apply to an instance which has the system property glide.script.ccsi.ispublic explicitly defined for the property, this can be corrected by changing the value of the System Property to false. The following steps show how this can be done on an instance:
Modify the Value of the glide.script.ccsi.ispublic System Property:
Log onto the instance with an account having admin rights to the instance.
In the Filter navigator type sys_properties.list and press the Enter key. This will display a list of properties defined on that instance.
Use the filter to locate the System Property on the instance with the name glide.script.ccsi.ispublic. If this System Property cannot be found on the instance, this instance will not experience this vulnerability. If the System Property is found on the instance open that record for editing.
Set the Value field to false if not already set to false.
Click the Update button to save the Change.
There are a few important facts that should be remembered in relation to this property:
- Once this property has been added and set to a value of false, it cannot be changed back to a value of true due to security constraints on the system.
- Similarly, this property, once added to an instance cannot be deleted from within the instance.
- It is also understood that, in certain cases, it may be necessary for a public page to allow access to a Client Callable Script Include. This can be configured on an individual Script Include to allow access to that Script Include from a public page. Please see Knowledge Base Article (KB0793402 - How to enable public access for a client callable script include) which describes how that can be done.
- If the instance does not include the property or the property is found on the instance with a value of false, the instance will not be susceptible to the vulnerability and, as no changes have been made, no change of functionality as regards to public pages will be experienced on the instance.
This potential vulnerability is also included in the following Instance Hardening Guide: