Access Manager phishing attack possible through iFrame manipulation on Admin Console iManager login page (CVE-2016-5757)

  • 7017818
  • 05-Jul-2016
  • 29-Aug-2016


NetIQ Access Manager 4.2
NetIQ Access Manager 4.1
Access Manager Admin Console


With the Admin Console iManager login page that includes iFrames, it is possible to include a third party application via a URL parameter. This can be used by attackers to do a phishing attack by including a website hosted by the attacker which looks like the page but sends the login data to the attackers server instead.


Apply NAM 4.2.2 patch for NAM 4.2; or apply NAM 4.1.2 Hot Fix 1 patch for NAM 4.1

As a workaround, one can use the tomcat CORS filter to add the SAME ORIGIN header to protect IFRAME ( There are many options to restrict the sending of data to another server and the easiest option may be to add the hostname to the "" configuration parameter. To enable this on the Admin Console (or Identity Server), do the following:

a) Open the web.xml file. The web.xml file is located at the following location:

Linux: /opt/novell/nam/adminconsole/conf
Windows Server 2012: \Program Files (x86)\Novell\Tomcat\conf

b) Add the following tomcat filter configuration below any existing filter configurations: