Burp reports Unvalidated Redirect in NetIQ Access Manager after upgrading to NAM 4.3 AC and IDP URLs (CVE-2017-14802)

  • 7022360
  • 20-Nov-2017
  • 20-Nov-2017

Environment

Access Manager 4.3
Access Manager Administration COnsole
Admin Console running on WIndows or Linux OS
CVE-2017-14802

Situation

https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet talks about how Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. NAM Admin Console and IDP servers have a URL that could be used to trigger such redirects.

Resolution

Apply 4.3.3. The fix consists on sanitation/validation of input into the iManager NPS pages.