XSS vulnerability on NAGErrors (referenced when AG error generated) injecting a Referer HTTP header into request (can use ModifyHeaders browser extension as an example)

  • 7018793
  • 11-Apr-2017
  • 24-Apr-2017

Environment

NetIQ Access Manager 4.2
NetIQ Access Manager 4.3
NetIQ Access Gateway Error pages
CVE-2017-5191

Situation

Using the Access Gateway (AG) error pages (accessing URL "https://<NAM Server>/NAGErrors/") returned whenever the AG recognises an error has occured, one can execute JavaScript by inserting a 'Referer' in the HTTP Header of the request to these /NAGErrors/ pages.

To duplicate:

1) Install NAM4.3.1
2) on browser, install the extension ModifyHeaders
3) Add a Referer so that it includes javascript:alert('Test Alert') with every outgoing HTTP request
4) In address bar access the URL: https://<nam-server>/NAGErrors
5) notice an Object Not Found message
6) click on a link e.g. 'referring page'
7) notice the message box pops up (javascript executed)

Resolution

Modify the /opt/novell/apache2/share/apache2/error/HTTP_NOT_FOUND.html.var file and simply invalidate the 'var' parameter found. If you invalidate the value for each occurance of the ‘var’ parameter e.g. removing the ‘H’ from ‘HTTP', the javascript will not be executed e.g. change

  <!--#if expr="$HTTP_REFERER" -->

    The link on the
    <a href="<!--#echo encoding="url" var="HTTP_REFERER" -->">referring

to

  <!--#if expr="$HTTP_REFERER" -->

    The link on the
    <a href="<!--#echo encoding="url" var="TTP_REFERER" -->">referring
    page</a> seems to be wrong or outdated. Please inform the author of



This file includes details for each supported language an error message is thrown for, and each section contains code on what to do if the HTTP-request contains an HTTP_REFERER parameter.