Bugzilla – Bug 679024
Security Vulnerability: iManager XSS stored
Last modified: 2013-01-31 19:46:31 UTC
Created attachment 418942 [details] BURP Scanner report BURP scanner is reporting: For XSS stored: Issue: The value of the OS.InitialContext request parameter submitted to the URL /nps/servlet/webacc is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /nps/servlet/webacc. The payload f328d</ScRiPt%20><a%20b%3dc>8792f2af5c1 was submitted in the OS.InitialContext parameter. This input was returned as f328d</ScRiPt ><a b=c>8792f2af5c1 in a subsequent request for the URL /nps/servlet/webacc. Request: GET /nps/servlet/webacc?taskId=fw.ObjectSelector&merge=fw.OS.ObjectSelector&error=dev.GenErr&SearchToken=SearchTokenInit&User.context=&OS.Control=single&OS.CallBack=&OS.AdvancedSelection=&OS.InitialContext=&OS.IsOSAllowed=&OS.Mode=&OS.MultiSelect=&OS.NameFilter=&OS.QueryWidth=240&OS.ResultsPerPage=&OS.SearchSubContainers=&OS.SearchOnStartup=&OS.ShowSubClasses=&OS.TypeFilter=User&OS.URLUniqueId=0.7168382433598749&OS.AuthName=undefined HTTP/1.1 Host: 999.99.9.9:8080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3 (.NET CLR 3.5.30729) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-gb,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://999.99.9.9:8080/nps/servlet/frameservice?NPService=fw.LaunchService&NPAction=Delegate&delegate=base.ModifyUser&launcher=fw.HomePage&lifecycle=Recreate&repeatable=true Cookie: username=61646D696E2E7365727669636573; tree=3133302E3136302E31332E3833; rank=7072696D617279; JSESSIONID=2ACA1CCC4E33327C4BEA88CA6E7A17F4 Response: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Date: Tue, 01 Mar 2011 03:39:10 GMT Content-Length: 8653 <HTML> <HEAD> <TITLE>Object Selector (Browser)</TITLE> <!-- ========= START imaneMFrameScripts tag ========== --> <SCRIPT> BrowserCharset='utf-8'; ParentWindowChangedErrorAlertMessage = 'Chang ...[SNIP]... "" var m_simpleBrowsingOnly = "false"
Customer is expecting a response as to our plan for this defect. Can I get an update as soon as possible?
Update released for: nici, nici64, novell-cifs, novell-cluster-services, novell-cluster-services-devel, novell-cluster-services-kmp-bigsmp, novell-cluster-services-kmp-default, novell-cluster-services-kmp-kdumppae, novell-cluster-services-kmp-smp, novell-cluster-services-kmp-vmi, novell-cluster-services-kmp-vmipae, novell-cluster-services-kmp-xen, novell-cluster-services-kmp-xenpae, novell-dnsdhcp-javaconsole, novell-imanager, novell-iprint-management, novell-iprint-server, novell-ncpenc, novell-ncpns, novell-ncpserv, novell-ncpserv-nrm, novell-ncpserv-tools, novell-nss, novell-nwmpk, novell-nwmpk-devel, novell-nwmpk-kmp-bigsmp, novell-nwmpk-kmp-default, novell-nwmpk-kmp-kdumppae, novell-nwmpk-kmp-smp, novell-nwmpk-kmp-vmi, novell-nwmpk-kmp-vmipae, novell-nwmpk-kmp-xen, novell-nwmpk-kmp-xenpae, novell-plugin-afp, novell-plugin-arkmanager, novell-plugin-base, novell-plugin-cifs, novell-plugin-dfs, novell-plugin-fileman, novell-plugin-netstorage, novell-plugin-nss, novell-plugin-samba, novell-plugin-sms, novell-usermanagement-imanager-plugin, novell-welcome-imanager, novell-xad-framework, novell-xtier-base, novell-xtier-core, novell-xtier-web, novell-xtier-xplat, novell-zapi, novell-zapi-devel, novell-zapi-kmp-bigsmp, novell-zapi-kmp-default, novell-zapi-kmp-kdumppae, novell-zapi-kmp-smp, novell-zapi-kmp-vmi, novell-zapi-kmp-vmipae, novell-zapi-kmp-xen, novell-zapi-kmp-xenpae, nss, nss-devel, nss-kmp-bigsmp, nss-kmp-default, nss-kmp-kdumppae, nss-kmp-smp, nss-kmp-vmi, nss-kmp-vmipae, nss-kmp-xen, nss-kmp-xenpae, storage-iman Products: Open-Enterprise-Server 2-SP3 (i386, x86_64)