ERPM Cross Site Scripting in ShadowAccount App Launcher

Follow

Revision: 1.2

Date: Dec. 22, 2016

Affected Products

  • Enterprise Random Password Manager, v5.5.1

Problem

A cross site scripting vulnerability in the application launcher web pages when using shadow accounts has been detected. This could allow a user to craft a malicious input to create additional scripts that could be executed by the client's browser leading to other various attacks based on the permission level of the user or capture the users session token and make requests to the system as the user.

Cause

Certain name values are not being properly html encoded. The sSystemName and other related arguments being put into the java script are not being "sanitized" completely. As a result, the script accepts values that will cause the java script block to be closed and allow the opening of another which could then be executed.

Resolution

The proposed change causes the arguments to be HTML encoded which will prevent this specific exploit from being performed against this page.

  1. Edit LaunchApp.asp from where the ERPM website is installed, typically %inetpub%\wwwroot\pwcweb.
  2. Go to line 461 (or search for "function ShowEdit")
  3. Change the following code:

    Change this:

    $("#RunAsExactUsername").val('<%=StripJS(sNamespace)%>\\<%=StripJS(sAccountName)%>');
    $("#RunAsStoredSystem").val('<%=StripJS(sSystemName)%>');
    $("#RunAsStoredNamespace").val('<%=StripJS(sNamespace)%>');
    $("#RunAsStoredAccountName").val('<%=StripJS(sAccountName)%>');

    To this:

    $("#RunAsExactUsername").val('<%=StripJS(Server.HTMLEncode(sNamespace))%>\\<%=StripJS(Server.HTMLEncode(sAccountName))%>');
    $("#RunAsStoredSystem").val('<%=StripJS(Server.HTMLEncode(sSystemName))%>');
    $("#RunAsStoredNamespace").val('<%=StripJS(Server.HTMLEncode(sNamespace))%>');
    $("#RunAsStoredAccountName").val('<%=StripJS(Server.HTMLEncode(sAccountName))%>');
  4. Save the file.

More Information

Releases of ERPM post v5.5.1 will include these changes. Please be sure to upgrade to the latest version.

Was this article helpful?
1 out of 1 found this helpful

Comments

Powered by Zendesk