Environment
NetIQ Access Manager 4.2
Access Manager Identity Server
Access Manager Identity Server
Situation
Access Manager 4.2 shipped with a new portal page designed to show appmarks. To simplify this portal page and it's branding a new set of JSP pages were released. However 'id' parameter in the Identity Server is vulnerable to Reflected Cross-Site Scripting (XSS) attack. This weakness can be exploited by an attacker to execute arbitrary JavaScript code within the context of other users and send all login credentials to the attacker himself. This way it is possible to highjack the user’s account.
As an example, the attacker could send the following URL to the user to trigger an alert:
https://login.netiq.com/nidp/jsp/main.jsp?id=8upqjn'-alert(1)-'b1uso&sid=0
Other formats may be used to trigger the same eg.
https://login.netiq.com/nidp/jsp/main.jsp?id=8upqjn<script>alert(1)</script>b1uso&sid=0
https://login.netiq.com/nidp/jsp/main.jsp?id=8upqjn%27-alert(1)-%27b1uso&sid=0
As an example, the attacker could send the following URL to the user to trigger an alert:
https://login.netiq.com/nidp/jsp/main.jsp?id=8upqjn'-alert(1)-'b1uso&sid=0
Other formats may be used to trigger the same eg.
https://login.netiq.com/nidp/jsp/main.jsp?id=8upqjn<script>alert(1)</script>b1uso&sid=0
https://login.netiq.com/nidp/jsp/main.jsp?id=8upqjn%27-alert(1)-%27b1uso&sid=0
Resolution
Fixed in 4.2.2.
To workaround issues in earlier versions of 4.2.2, make sure that any custom pages follow the best practice at https://www.netiq.com/documentation/access-manager-42/admin/data/b15imuwk.html#b15imuwk.
To workaround issues in earlier versions of 4.2.2, make sure that any custom pages follow the best practice at https://www.netiq.com/documentation/access-manager-42/admin/data/b15imuwk.html#b15imuwk.