Advisory ID: SYSS-2016-067
Product: Access Manager iManager
Manufacturer: NetIQ
Affected Version(s): 2.7.7.5, 2.7.7.6
Tested Version(s): 2.7.7.5
Vulnerability Type: Temporary Second Order Cross-Site Scripting (CWE-79)
Risk Level: Low
Solution Status: Fixed
Solution Date: 2016-07
Public Disclosure: 2016-08-17
CVE Reference: Not yet assigned
Author of Advisory: Micha Borrmann, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

NetIQ Access Manager is a web access management software that provides
secure access to enterprise and cloud applications.

The manufacturer describes the product as follows (see [1]):

"Access Manager provides a simple yet secure and scalable solution
that can handle all your web access needs. Whether your users are using
their phone or laptop to access internal or cloud based services,
Access Manager keeps it secure while delivering a single sign-on
experience."

Due to improper input validation, NetIQ Access Manager is vulnerable to
reflected cross-site scripting attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The SySS GmbH found out that the servlet "webacc" of the web access
management software NetIQ Access Manager is prone to reflected cross-
site scripting attacks via the URL parameter "location".

This cross-site scripting vulnerability allows an attacker to send a
manipulated link to his victim in order to execute arbitrary JavaScript
code in the context of his victim's web browser.

The vulnerability can be abused to bypass the XSS protection in Google
Chrome, Microsoft Internet Explorer and Edge, because the initial
response is a login form for unauthorized users. After a successful
logon, the previously sent XSS attack vector will be executed in the
web browser.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following URL is an example of an attack vector exploiting the
reflected cross-site scripting vulnerability via the URL parameter
"location":

https://<HOST>/nps/servlet/webacc?taskId=dev.Empty&merge=dm.GenericTask&location=%2froma%2fjsp%2fadmin%2fview%2fmain.jsp%27;document.location=1/3//

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Install Service Pack 2

More Information:
https://www.netiq.com/documentation/access-manager-42/accessmanager422-releasenotes/data/accessmanager422-releasenotes.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2016-05-12: Vulnerability discovered
2016-07   : Service Pack 2 released by manufacturer
2016-08-17: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for NetIQ Access Manager
    https://www.netiq.com/products/access-manager/
[2] SySS Security Advisory SYSS-2016-067

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-067.txt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Micha Borrmann of the SySS GmbH.

E-Mail: micha.borrmann@syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Micha_Borrmann.asc
Key ID: 0xEDBE26E714EA58760
Key Fingerprint: F2E7 C6A5 9950 84ED 7AD6  0DD4 EDBE 26E7 14EA 5876

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en