BugTraq
[SYSS-2016-067] NetIQ Access Manager (iManager) - Temporary Second Order Cross-Site Scripting (CWE-79) Aug 17 2016 06:24AM
Micha Borrmann (micha borrmann syss de)
Advisory ID: SYSS-2016-067
Product: Access Manager iManager
Manufacturer: NetIQ
Affected Version(s): 2.7.7.5, 2.7.7.6
Tested Version(s): 2.7.7.5
Vulnerability Type: Temporary Second Order Cross-Site Scripting (CWE-79)
Risk Level: Low
Solution Status: Fixed
Solution Date: 2016-07
Public Disclosure: 2016-08-17
CVE Reference: Not yet assigned
Author of Advisory: Micha Borrmann, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

NetIQ Access Manager is a web access management software that provides
secure access to enterprise and cloud applications.

The manufacturer describes the product as follows (see [1]):

"Access Manager provides a simple yet secure and scalable solution
that can handle all your web access needs. Whether your users are using
their phone or laptop to access internal or cloud based services,
Access Manager keeps it secure while delivering a single sign-on
experience."

Due to improper input validation, NetIQ Access Manager is vulnerable to
reflected cross-site scripting attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The SySS GmbH found out that the servlet "webacc" of the web access
management software NetIQ Access Manager is prone to reflected cross-
site scripting attacks via the URL parameter "location".

This cross-site scripting vulnerability allows an attacker to send a
manipulated link to his victim in order to execute arbitrary JavaScript
code in the context of his victim's web browser.

The vulnerability can be abused to bypass the XSS protection in Google
Chrome, Microsoft Internet Explorer and Edge, because the initial
response is a login form for unauthorized users. After a successful
logon, the previously sent XSS attack vector will be executed in the
web browser.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following URL is an example of an attack vector exploiting the
reflected cross-site scripting vulnerability via the URL parameter
"location":

https://<HOST>/nps/servlet/webacc?taskId=dev.Empty&merge=dm.GenericTask&
location=%2froma%2fjsp%2fadmin%2fview%2fmain.jsp%27;document.location=1/
3//

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Install Service Pack 2

More Information:
https://www.netiq.com/documentation/access-manager-42/accessmanager422-r
eleasenotes/data/accessmanager422-releasenotes.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2016-05-12: Vulnerability discovered
2016-07 : Service Pack 2 released by manufacturer
2016-08-17: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for NetIQ Access Manager
https://www.netiq.com/products/access-manager/
[2] SySS Security Advisory SYSS-2016-067

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-20
16-067.txt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Micha Borrmann of the SySS GmbH.

E-Mail: micha.borrmann (at) syss (dot) de [email concealed]
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Micha_Borrmann.asc
Key ID: 0xEDBE26E714EA58760
Key Fingerprint: F2E7 C6A5 9950 84ED 7AD6 0DD4 EDBE 26E7 14EA 5876

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJXtAMvAAoJEO2+JucU6lh2JDUP/1q14NrW7HeFaJfwvRHxf6sw
WnHwEINYsn3H/JqxhoGmgZtrwSgNd2tJRA8HiR5d0hl+QMx9phnpzkMBqdii5EcJ
XdtlVvbHRQLA0pTUC6JTskmV5CN1M1bv8mSFFizEZ5M9VaUu+KeLyntcWxBXlUkn
hGZ56wbFMmWi+v6AEJ2NM8+L8Ytpmle3iWfktKXrDxdXNOlxmhkef1wDUn8t0URU
GgLLsYfhMv9LHvAqECAmIU52FwMKYaY1o4kMR6dOEqfPJ/s0s2PEjy6voM/jHuCd
WgEtSdsKf1fWVaeMJlw/ekEMXsnaBwNLdN1Sst0HpqaXHDPA6sCrVuZDkYd6BwZI
nUBltgQhnUguJV7eYwsRbsadci/+93/9vetuFLXH1PMwY1iEvOhDFkjbFAhcAq69
LzEjWh8p+LNkLuSF2W9N9uYVZRAlqwY3Bbk9YeJcjWCFF+oTH+eMaly5U8SpSTcn
UUogAtVoIYzr5t8khOorUdLffjnJhNWIJnj0O34t7O4eXLWw9aKrMklXFB79XMnx
eHnJJqxygM1mAHQExQoKds+pv5BdSMvQPLv+AVBvVypB9/d/I1CYIbfje793eHcH
imPELZNXuRirw9cwbcBjLSYN9YS1FYHHHF1FhSwgZgKTl17Td+jBt3QG86ImF6A9
fEaBh+H5lI5E8h3tIvHa
=wFGS
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus