Integrations
Start a Trial
Book Demo
Book Demo
Start Trial

FAQ List: About Halo

CVE-2024-6200 – Stored Cross-Site Scripting in Tickets

General Information This article contains frequently asked questions relating to the store cross-site scripting vulnerability affecting Halo versions up to 2.143.6. Users with the permission to open tickets may embed malicious JavaScript code into them, that, when accessed by another user, executes within the context of that user. Are hosted Halo instances affected? Hosted customers […]

Read-only connection for reports

Prevent abuse of the report builder by ensuring a database connection with read-only privileges is used for SQL reports. Create a SQL user with read-only access to the Halo database Create a new SQL user account in SQL Server Management Studio by going to Security > Logins, right-click on Logins and select New Login. Use […]

Enabling Secure Cookies in the Web Application

Enable secure cookies to stop cookies from being sent over HTTP. This is not enabled by default as it makes the application unusable over HTTP. Before enabling ensure an upgrade from HTTP to HTTPS is enabled as the app will no longer function over HTTP. Add the following property into the 3 appsettings.json files at […]

CVE-2024-6203 – Password Reset Poisoning

General Information This article contains frequently asked questions relating to the store cross-site scripting vulnerability affecting Halo versions up to 2.143.61 and all 2.144 and 2.145 versions. Users with access to the password forgotten functionality can issue a password reset request, to the victims email address, and by manipulating the request in a specific way […]

CVE-2024-6202 – SAML XML Signature Wrapping (XSW)

General Information This article contains frequently asked questions relating to the XML signature wrapping vulnerability affecting Halo versions up to 2.143.8. SAML XML signature wrapping is an attack method where an attacker modifies the signed SAML message without invalidating the signature. This can lead to the attacker impersonating another user. Are hosted Halo instances affected? […]

Rolling back versions v2.45 and above to versions below v2.45

A change has been made to NHD_Roleclaims and NHD_Userclaims where the asset claims have values upto 3 rather than 2. This means when rolling back any claims relating to assets that have value of 3 in either of these tables need to be dropped down to 2. Run the following 2 queries: Update NHD_roleclaims set […]

How are user passwords stored?

This article discusses the method used when users are stored in Halo. When users are stored in the Halo database their passwords are stored hashed. Halo uses the Pbkdf2 key derivation function with a suitably high iteration count, to hash the password for storage in the database. Each password has its own salt applied prior […]

Enable HTTP strict transport security (HSTS)

This ensures all traffic to the Halo site can only use a secure HTTPS connection. HTTPS must already be configured for the web application. Currently, these steps are required after any upgrade. If HTTPS/SSL is not configured, and HSTS is enabled, the application will not work. Open web.config in the root of your Halo web […]

IP Addresses for Whitelisting

For hosted Halo users your traffic passes through the below IP addresses. This is for API requests as well as SMTP/IMAP/POP connections. UK Addresses to whitelist; 18.134.104.113 18.134.36.210 18.133.135.248 DNS listing for IPs; (add this to sending domain SPF record) d3ukmail.nethelpdesk.com USA/Americas Addresses to whitelist: 52.200.167.248  3.225.188.37  50.19.232.234 DNS listing for IPs; (add this to […]

Setting up Two Factor Authentication

Two-factor Authentication; how to use and implement it. Agents in Halo can use 2FA (Two Factor Authentication) to secure their account for any reason seen fit. This could be for data protection, security whilst out and about using Halo on mobile or a laptop, or if you have staff using Halo in a public facing […]