Persistent Site Scripting (XSS) attack used against Admin Console to inject a stored script on the auditing page - CVE-2014-5216

  • 7015996
  • 15-Dec-2014
  • 17-Dec-2014

Environment

NetIQ Access Manager 4.0
NetIQ Access Manager 4.0 Admin Console
NetIQ Access Manager 4.0 Support Pack 1 HF2 applied
CVE-2014-5216

Situation

The following URL sent to the Access Manager Admin Console Server uses persistent site scripting (XSS) to inject a stored script on the auditing page:

https://<host>:8443/roma/system/cntl?handler=dispatcher&command=auditsave&&secureLoggingServersA='){}};alert('xss');function+x(){if('&port=1289

As soon as you do this and go to the Auditing page on iManager, an XSS script will be launched.

Resolution

Apply 4.0.1 HF3 or greater to address the issue.

Additional Information

NetIQ thanks Wolfgang Ettlinger (discovery, analysis, coordination) from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/) for responsibly reporting the identified issues and working with us as we addressed them.