iManager 2.7 SP5 Tomcat Vulnerable to XSS Request Forgery

  • 7011482
  • 10-Dec-2012
  • 10-Dec-2012

Environment

Novell iManager 2.7.5
NetIQ iManager 2.7.5

Situation

iManager 2.7 SP5 Tomcat Vulnerable to XSS Request Forgery
 
 
 
Prerequisites for launching attack
 
In order for this vulnerability to be exploited all of he following conditions must be met:

1.User must be logged into iManager then click on the button or link posted on the malicious site.
2.User must open a new tab or new instance of the same browser.
3.The exploiter must know all the details about the request
(IE., IP address of the iManager server, port on which it is run, all the request parameters, etc.)
 
 
 
Impact
 
If this exploit is successful, all iManager tasks are allowed that are within the rights of the logged in user.  Assuming that all of the above conditions are met, iManager server honors this request thinking that the request has come from an authenticated user.
 
 
 
Resolution:
 
Engineering is aware of the issue.  It is hoped that a fix for this will be available soon.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.