Customer has identified a Cross-Site Scripting vulnerability in /Altiris/Console/Default.aspx
Code defect. No content validation of WrapperID value
This issue has been reported to the Symantec Development team. A fix has been provided under version 7.5.1588 and higher.
The fix was also backported to ITMS 7.1 SP2 MP1 Rollup v7. Please refer to HOWTO81832
A Point-fix was provided for customer with ITMS 7.1 SP2 MP1 Rollup v1. It targets cross-site scripting vulnerability in /Altiris/Console/Default.aspx
ITMS 7.1 SP2 MP1.1 with rollup v1
HOW TO INSTALL THIS POINTFIX
1. Extract files from the archive to the NS hard drive. Make sure PointFix is not extracted to Altiris install directory (or any subfolder to it)
2. Run as administrator PFinstaller.EXE, click on ‘Install files’ button
3. Old binaries will be automatically backup to the same location where PFinstaller is and replaced with the new ones.
Added code to validateWrapperID parameter in VirtualControlHandler. Now in such case our standard error page should be displayed.
Basic Fix Validation according WebInspect Report
This hotfix has the following known issues:
How to Uninstall
1. Make sure that Backup subfolder is located in PFinstaller’ directory
2. Execute PFInstaller.exe with administrative privileges (right-click > Run as administrator).
3. Accept UAC (User Account Control) prompt, select Uninstall Files.
This issue was found on ITMS 7.1 SP2 MP1 Rollup v1
This issue is present on ITMS 7.1 SP2 MP1 Rollup v1 to v6