Many code vulnerabilities found when scanning VPC sites (NETIQKB73236)

  • 7773236
  • 04-Nov-2011
  • 16-Nov-2011

Situation

Many code vulnerabilities found when scanning VPC sites

How does VPC prevent cross-site scripting attacks?

Resolution

To enable or disable the cross-site scripting filter:

If you want to enable the cross-site scripting filter on the User Site, complete the following steps:

  1. Log on to the VigilEnt Policy Center computer with a local administrator account.
  2. Copy the VPC Installation Path\xss\policy\web_xss_enable.xml file to VPC Installation Path\server\webapps\policy\WEB-INF\web.xml.
  3. Change the web_xss_enable.xml file name to web.xml to replace the old web.xml configuration file.
  4. Restart the VigilEnt Policy Center services.

If you want to disable the cross-site scripting filter on the User Site, complete the following steps:

  1. Log on to the VigilEnt Policy Center computer with a local administrator account.
  2. Copy the VPC Installation Path\xss\policy\web_xss_disable.xml file to VPC Installation Path\server\webapps\policy\WEB-INF\web.xml.
  3. Change the web_xss_disable.xml file name to web.xml to replace the old web.xml configuration file.
  4. Restart the VigilEnt Policy Center services.

If you want to enable the cross-site scripting filter on the Administration Site, complete the following steps:

  1. Log on to the VigilEnt Policy Center computer with a local administrator account.
  2. Copy the VPC Installation Path\xss\VpcAdmin\web_xss_enable.xml file to VPC Installation Path\server\webapps\VpcAdmin\WEB-INF\web.xml.
  3. Change the web_xss_enable.xml file name to web.xml to replace the old web.xml configuration file.
  4. Restart the VigilEnt Policy Center services.

If you want to disable the cross-site scripting filter on the Administration Site, complete the following steps:

  1. Log on to the VigilEnt Policy Center computer with a local administrator account.
  2. Copy the VPC Installation Path\xss\VpcAdmin\web_xss_disable.xml file to VPC Installation Path\server\webapps\VpcAdmin\WEB-INF\web.xml.
  3. Change the web_xss_disable.xml file name to web.xml to replace the old web.xml configuration file.
  4. Restart the VigilEnt Policy Center services.

Cause

With VigilEnt Policy Center (VPC) 5.6 SP 2, the cross-site scripting filter that was added in VPC 5.6 SP1 is now disabled by default. However, you have the option to enable it any time on the Administration Site and the User Site as needed for your environment. Cross-site scripting is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by malicious users to bypass access controls such as the same origin policy.

You can replace the default web.xml configuration file to enable or disable the cross-site scripting filter in your environment.

Additional Information

Formerly known as NETIQKB73236