exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

NetIQ Access Manager iManager 2.7.7.6 / 2.7.7.5 Cross Site Scripting

NetIQ Access Manager iManager 2.7.7.6 / 2.7.7.5 Cross Site Scripting
Posted Aug 17, 2016
Authored by Micha Borrmann | Site syss.de

NetIQ Access Manager iManager versions 2.7.7.5 and 2.7.7.6 suffer from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 0d8b132a98ae866b25e976fa91c028b7f87513113e4275ea391b836b58886260

NetIQ Access Manager iManager 2.7.7.6 / 2.7.7.5 Cross Site Scripting

Change Mirror Download
Advisory ID: SYSS-2016-067
Product: Access Manager iManager
Manufacturer: NetIQ
Affected Version(s): 2.7.7.5, 2.7.7.6
Tested Version(s): 2.7.7.5
Vulnerability Type: Temporary Second Order Cross-Site Scripting (CWE-79)
Risk Level: Low
Solution Status: Fixed
Solution Date: 2016-07
Public Disclosure: 2016-08-17
CVE Reference: Not yet assigned
Author of Advisory: Micha Borrmann, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

NetIQ Access Manager is a web access management software that provides
secure access to enterprise and cloud applications.

The manufacturer describes the product as follows (see [1]):

"Access Manager provides a simple yet secure and scalable solution
that can handle all your web access needs. Whether your users are using
their phone or laptop to access internal or cloud based services,
Access Manager keeps it secure while delivering a single sign-on
experience."

Due to improper input validation, NetIQ Access Manager is vulnerable to
reflected cross-site scripting attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The SySS GmbH found out that the servlet "webacc" of the web access
management software NetIQ Access Manager is prone to reflected cross-
site scripting attacks via the URL parameter "location".

This cross-site scripting vulnerability allows an attacker to send a
manipulated link to his victim in order to execute arbitrary JavaScript
code in the context of his victim's web browser.

The vulnerability can be abused to bypass the XSS protection in Google
Chrome, Microsoft Internet Explorer and Edge, because the initial
response is a login form for unauthorized users. After a successful
logon, the previously sent XSS attack vector will be executed in the
web browser.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following URL is an example of an attack vector exploiting the
reflected cross-site scripting vulnerability via the URL parameter
"location":

https://<HOST>/nps/servlet/webacc?taskId=dev.Empty&merge=dm.GenericTask&location=%2froma%2fjsp%2fadmin%2fview%2fmain.jsp%27;document.location=1/3//

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Install Service Pack 2

More Information:
https://www.netiq.com/documentation/access-manager-42/accessmanager422-releasenotes/data/accessmanager422-releasenotes.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2016-05-12: Vulnerability discovered
2016-07 : Service Pack 2 released by manufacturer
2016-08-17: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for NetIQ Access Manager
https://www.netiq.com/products/access-manager/
[2] SySS Security Advisory SYSS-2016-067

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-067.txt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Micha Borrmann of the SySS GmbH.

E-Mail: micha.borrmann@syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Micha_Borrmann.asc
Key ID: 0xEDBE26E714EA58760
Key Fingerprint: F2E7 C6A5 9950 84ED 7AD6 0DD4 EDBE 26E7 14EA 5876

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close