Multiple Access Manager iManager application URLs prone to Reflected Cross-Site Scripting attack (CVE-2016-5756)

  • 7017813
  • 04-Jul-2016
  • 29-Aug-2016

Environment

NetIQ Access Manager 4.2
NetIQ Access Manager 4.1
CVE-2016-5756

Situation

Access Manager setup and working well. As part of a security test, a PEN test was carried out against all NAM components and many iManager URLs were prone to Reflected Cross-Site Scripting attacks. This Cross-Site Scripting vulnerability allows an attacker to send a manipulated link to his victim in order to execute arbitrary JavaScript code in the context of his victim’s web browser. As a result, it is possible to steal cookie information in order to hijack user sessions. Another possibility is to load other malicious code.

The following parameters have been identified as vulnerable:

• /nps/servlet/frameservice parameter: taskId
• /nps/servlet/webacc perameter: SelectedAttribute
• /nps/servlet/webacc perameter: User.context
• /nps/servlet/webacc perameter: callBack
• /nps/servlet/webacc perameter: controlName
• /nps/servlet/webacc perameter: location
• /nps/servlet/webacc perameter: nextState
• /roma/admin/cntl perameter: delimNatAddresses
• /roma/jsp/admin/appliance/devicedetail_edit.jsp perameter: focus
• /roma/jsp/admin/managementip/mgmt_ip_details_frameset.jsp perameter: managementip
• /roma/jsp/admin/managementip/mgmt_ip_details_middleframe.jsp perameter: managementip
• /roma/jsp/volsc/monitoring/appliance.jsp perameter: appname
• /roma/jsp/volsc/monitoring/appliance.jsp perameter: refresh
• /roma/jsp/volsc/monitoring/graph.jsp perameter: back
• /nps/servlet/webacc perameter: error

The proof of concept URL: https://imanager.netiq.com:8443/roma/jsp/admin/managementip/mgmt_ip_details_middleframe.jsp?managementip=151.151.234.52gjhb1%3Cscript%3Ealert(%27NetIQAlert%27)%3C%2fscript%3Ex43rv

Resolution

Fixed in NAM 4.2.2 for NAM 4.2; or 4.1.2 Hot Fix 1 for NAM 4.1.