Cross site scripting (XSS) vulnerability on Linux Access Gateway

  • 3575069
  • 13-Apr-2007
  • 26-Apr-2012

Environment

Novell Access Management 3 Linux Access Gateway
nam3ir2.tar.gz patch applied (LAG build 3.0.0-82)

Situation

It is possible to embed malicious commands in a clickable URL which, when a victim clicks on it, can result in theft of sensitive information and browser hijacking.

STEPS TO REPRODUCE:

-Setup a reverse proxy service with an authorization policy that will perform a deny.
-Start ethereal on the local client machine
-With a browser connect to the resource and get the deny message.
-View the sniffer trace, notice you will get a 200 OK with an html page that will redirect you to LAGERROR/error.jsp.
-Next notice the ethereal trace shows you that when you get redirected to the error.jsp that the information for the deny is provided in the query string parameters.
-Think Maliciously and instead change the URL query string parameters.Specifically the ErrorDescription and the StatusCodeDescription parameters are vulnerable to the XSS attack
-You can modify the content however you want too, additionally you do not need to follow the specific steps of GET, authentication, GET denied. You can hit any Linux Access Gateway /LAGERROR/error.jsp and bypass everything else to perform the XSS attack.


For example trying the following url on a test system e.g. with reverse proxy xsstest.novell.com
By changing the content of the ErrorDescription, one can create any type of content that one wants eg. creating a html form in an attempt to extract user information from the un-suspecting end user.

Resolution

This is fixed in any build of the LAG after 3.0.0-85. All SP1 (3.0.1-*) builds and newer of Access Manager will have this.