KNOWN ISSUE: Cross-Site Scripting (XSS) vulnerability in /Altiris/Console/Default.aspx

book

Article ID: 158170

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

Customer has identified a Cross-Site Scripting vulnerability in /Altiris/Console/Default.aspx

--

Cause

Code defect. No content validation of WrapperID value

Resolution

This issue has been reported to the Symantec Development team. A fix has been provided under version 7.5.1588 and higher.

The fix was also backported to ITMS 7.1 SP2 MP1 Rollup v7. Please refer to HOWTO81832

 

 

A Point-fix was provided for customer with ITMS 7.1 SP2 MP1 Rollup v1. It targets cross-site scripting vulnerability in /Altiris/Console/Default.aspx


MINIMUM REQUIREMENT

ITMS 7.1 SP2 MP1.1 with rollup v1


HOW TO INSTALL THIS POINTFIX

1. Extract files from the archive to the NS hard drive. Make sure PointFix is not extracted to Altiris install directory (or any subfolder to it)
2. Run as administrator PFinstaller.EXE, click on ‘Install files’ button
3. Old binaries will be automatically backup to the same location where PFinstaller is and replaced with the new ones.


CHANGES MADE

Added code to validateWrapperID parameter in VirtualControlHandler. Now in such case our standard error page should be displayed.


QA PERFORMED

Basic Fix Validation according WebInspect Report


This hotfix has the following known issues:

None.


How to Uninstall

1. Make sure that Backup subfolder is located in PFinstaller’ directory
2. Execute PFInstaller.exe with administrative privileges (right-click > Run as administrator).
3. Accept UAC (User Account Control) prompt, select Uninstall Files.
 

 

Applies To

This issue was found on ITMS 7.1 SP2 MP1 Rollup v1
This issue is present on ITMS 7.1 SP2 MP1 Rollup v1 to v6

Attachments

PF319530471SP2MP1V1.zip get_app