Environment
nam3ir2.tar.gz patch applied (LAG build 3.0.0-82)
Situation
It is possible to embed malicious commands in a clickable URL which, when a victim clicks on it, can result in theft of sensitive information and browser hijacking.
STEPS TO REPRODUCE:
-Setup a reverse proxy service with an authorization policy that will perform a deny.
-Start ethereal on the local client machine
-With a browser connect to the resource and get the deny message.
-View the sniffer trace, notice you will get a 200 OK with an html page that will redirect you to LAGERROR/error.jsp.
-Next notice the ethereal trace shows you that when you get redirected to the error.jsp that the information for the deny is provided in the query string parameters.
-Think Maliciously and instead change the URL query string parameters.Specifically the ErrorDescription and the StatusCodeDescription parameters are vulnerable to the XSS attack
-You can modify the content however you want too, additionally you do not need to follow the specific steps of GET, authentication, GET denied. You can hit any Linux Access Gateway /LAGERROR/error.jsp and bypass everything else to perform the XSS attack.
For example trying the following url on a test system e.g. with reverse proxy xsstest.novell.com