Advisory ID: SYSS-2016-067 Product: Access Manager iManager Manufacturer: NetIQ Affected Version(s): 2.7.7.5, 2.7.7.6 Tested Version(s): 2.7.7.5 Vulnerability Type: Temporary Second Order Cross-Site Scripting (CWE-79) Risk Level: Low Solution Status: Fixed Solution Date: 2016-07 Public Disclosure: 2016-08-17 CVE Reference: Not yet assigned Author of Advisory: Micha Borrmann, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: NetIQ Access Manager is a web access management software that provides secure access to enterprise and cloud applications. The manufacturer describes the product as follows (see [1]): "Access Manager provides a simple yet secure and scalable solution that can handle all your web access needs. Whether your users are using their phone or laptop to access internal or cloud based services, Access Manager keeps it secure while delivering a single sign-on experience." Due to improper input validation, NetIQ Access Manager is vulnerable to reflected cross-site scripting attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The SySS GmbH found out that the servlet "webacc" of the web access management software NetIQ Access Manager is prone to reflected cross- site scripting attacks via the URL parameter "location". This cross-site scripting vulnerability allows an attacker to send a manipulated link to his victim in order to execute arbitrary JavaScript code in the context of his victim's web browser. The vulnerability can be abused to bypass the XSS protection in Google Chrome, Microsoft Internet Explorer and Edge, because the initial response is a login form for unauthorized users. After a successful logon, the previously sent XSS attack vector will be executed in the web browser. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following URL is an example of an attack vector exploiting the reflected cross-site scripting vulnerability via the URL parameter "location": https://<HOST>/nps/servlet/webacc?taskId=dev.Empty&merge=dm.GenericTask&location=%2froma%2fjsp%2fadmin%2fview%2fmain.jsp%27;document.location=1/3// ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Install Service Pack 2 More Information: https://www.netiq.com/documentation/access-manager-42/accessmanager422-releasenotes/data/accessmanager422-releasenotes.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2016-05-12: Vulnerability discovered 2016-07 : Service Pack 2 released by manufacturer 2016-08-17: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for NetIQ Access Manager https://www.netiq.com/products/access-manager/ [2] SySS Security Advisory SYSS-2016-067 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-067.txt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Micha Borrmann of the SySS GmbH. E-Mail: micha.borrmann@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Micha_Borrmann.asc Key ID: 0xEDBE26E714EA58760 Key Fingerprint: F2E7 C6A5 9950 84ED 7AD6 0DD4 EDBE 26E7 14EA 5876 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en