Environment
Novell User Application 3.0.1
Novell User Application 3.5.0
Novell User Application 3.5.1
Novell Identity Manager Roles Based Provisioning Module 3.6.0
Novell Identity Manager Roles Based Provisioning Module 3.6.1
Novell User Application 3.5.0
Novell User Application 3.5.1
Novell Identity Manager Roles Based Provisioning Module 3.6.0
Novell Identity Manager Roles Based Provisioning Module 3.6.1
Situation
Cross-Site Scripting vulnerability has been discovered in the current releases of the Novell User Application and Novell Identity Manager Roles Based Provisioning Module.
For more information about Cross-Site Scripting please see the Additional Information Area.
For more information about Cross-Site Scripting please see the Additional Information Area.
Resolution
The fix for Novell User Application 3.0.1 is in the IDM User Application 301 Field Patch R (UA301R) or newer found
at https://dl.netiq.com/patch/finder/
The fix for Novell User Application 3.5.0 is in the IDM User Application 350 Field Patch AD (UA350AD) or newer found at https://dl.netiq.com/patch/finder/
The fix for Novell User Application 3.5.1 is in the IDM User Application 351 Field Patch V (UA351V) or newer found
at https://dl.netiq.com/patch/finder/
The fix for Novell Identity Manager Roles Based Provisioning Module 3.6.0 is in the IDM Roles Based Provisioning Module 360 Field Patch C (UA360C) or newer found at https://dl.netiq.com/patch/finder/
The fix for Novell Identity Manager Roles Based Provisioning Module 3.6.1 is in the IDM Roles Based Provisioning Module 361 Field Patch A (UA361A) or newer found at https://dl.netiq.com/patch/finder/
at https://dl.netiq.com/patch/finder/
The fix for Novell User Application 3.5.0 is in the IDM User Application 350 Field Patch AD (UA350AD) or newer found at https://dl.netiq.com/patch/finder/
The fix for Novell User Application 3.5.1 is in the IDM User Application 351 Field Patch V (UA351V) or newer found
at https://dl.netiq.com/patch/finder/
The fix for Novell Identity Manager Roles Based Provisioning Module 3.6.0 is in the IDM Roles Based Provisioning Module 360 Field Patch C (UA360C) or newer found at https://dl.netiq.com/patch/finder/
The fix for Novell Identity Manager Roles Based Provisioning Module 3.6.1 is in the IDM Roles Based Provisioning Module 361 Field Patch A (UA361A) or newer found at https://dl.netiq.com/patch/finder/
Status
Security AlertAdditional Information
A definition of Cross-Site Scripting according to http://www.webopedia.com
(http://www.webopedia.com/TERM/X/XSS.html):
"An abbreviation of cross-site scripting. XSS is a security breach that takes advantage of dynamically generated Web pages. In an XSS attack, a Web application is sent with a script that activates when it is read by an unsuspecting user’s browser or by an application that has not protected itself against cross-site scripting. Because dynamic Web sites rely on user input, a malicious user can input malicious script into the page by hiding it within legitimate requests. Common exploitations include search engine boxes, online forums and public-accessed blogs. Once XSS has been launched, the attacker can change user settings, hijack accounts, poison cookies with malicious code, expose SSL connections, access restricted sites and even launch false advertisements. The simplest way to avoid XSS is to add code to a Web application that causes the dynamic input to ignore certain command tags.
Scripting tags that take advantage of XSS include <SCRIPT>, <OBJECT>, <APPLET>, <EMBED> and <FORM>. Common languages used for XSS include JavaScript, VBScript, HTML, Perl, C++, ActiveX and Flash.
Cross-site scripting also is referred to as malicious tagging and sometimes abbreviated as CSS, though CSS is more commonly used as an abbreviation for cascading style sheets. "
(http://www.webopedia.com/TERM/X/XSS.html):
"An abbreviation of cross-site scripting. XSS is a security breach that takes advantage of dynamically generated Web pages. In an XSS attack, a Web application is sent with a script that activates when it is read by an unsuspecting user’s browser or by an application that has not protected itself against cross-site scripting. Because dynamic Web sites rely on user input, a malicious user can input malicious script into the page by hiding it within legitimate requests. Common exploitations include search engine boxes, online forums and public-accessed blogs. Once XSS has been launched, the attacker can change user settings, hijack accounts, poison cookies with malicious code, expose SSL connections, access restricted sites and even launch false advertisements. The simplest way to avoid XSS is to add code to a Web application that causes the dynamic input to ignore certain command tags.
Scripting tags that take advantage of XSS include <SCRIPT>, <OBJECT>, <APPLET>, <EMBED> and <FORM>. Common languages used for XSS include JavaScript, VBScript, HTML, Perl, C++, ActiveX and Flash.
Cross-site scripting also is referred to as malicious tagging and sometimes abbreviated as CSS, though CSS is more commonly used as an abbreviation for cascading style sheets. "