Customer has identified a Cross-Site Scripting vulnerability in /Altiris/Console/Default.aspx

--

Code defect. No content validation of WrapperID value

This issue has been reported to the Symantec Development team. A fix has been provided under version 7.5.1588 and higher.

The fix was also backported to ITMS 7.1 SP2 MP1 Rollup v7. Please refer to HOWTO81832

A Point-fix was provided for customer with ITMS 7.1 SP2 MP1 Rollup v1. It targets cross-site scripting vulnerability in /Altiris/Console/Default.aspx

MINIMUM REQUIREMENT

ITMS 7.1 SP2 MP1.1 with rollup v1

HOW TO INSTALL THIS POINTFIX

1. Extract files from the archive to the NS hard drive. Make sure PointFix is not extracted to Altiris install directory (or any subfolder to it)
2. Run as administrator PFinstaller.EXE, click on ‘Install files’ button
3. Old binaries will be automatically backup to the same location where PFinstaller is and replaced with the new ones.

CHANGES MADE

Added code to validateWrapperID parameter in VirtualControlHandler. Now in such case our standard error page should be displayed.

QA PERFORMED

Basic Fix Validation according WebInspect Report

This hotfix has the following known issues:

None.

How to Uninstall

1. Make sure that Backup subfolder is located in PFinstaller’ directory
2. Execute PFInstaller.exe with administrative privileges (right-click > Run as administrator).
3. Accept UAC (User Account Control) prompt, select Uninstall Files.
 

Applies To

This issue was found on ITMS 7.1 SP2 MP1 Rollup v1
This issue is present on ITMS 7.1 SP2 MP1 Rollup v1 to v6