Cross Site Scripting/XSS manipulation exiting error during PDMExport

search cancel

Cross Site Scripting/XSS manipulation exiting error during PDMExport

book

Article ID: 241433

calendar_today

Updated On:

Products

CA Service Desk Manager CA Service Management - Service Desk Manager

Issue/Introduction

When attempting to invoke the Export function in Service Desk Manager, the following message and prompts presents

Changes were made per the existing documentation Securing CA SDM from Cross-Site Scripting Vulnerabilities. Affected SDM instance is a standalone server with no other SDM Servers involved.

Environment

Release : 17.3

Component : SDM - Vulnerability

Cause

The NX.env variable NX_LOCAL_SERVLET_SERVER_URL has been configured to use a host name in all caps, but should be lower case.

Resolution

First, verify if the problem is the setting in the NX_LOCAL_SERVLET_SERVER_URL by setting it with the direct IP address of the target server, ie:

@NX_LOCAL_SERVLET_SERVER_URL=http://11.22.33.44:8080

If the export works with the direct IP address, the problem is with the DNS being unable to resolve the hostname being presented correctly. A common reason is that the DNS is being case sensitive, ie:

@NX_LOCAL_SERVLET_SERVER_URL=http://server.domain.com:8080

@NX_LOCAL_SERVLET_SERVER_URL=http://SERVER.DOMAIN.COM:8080

Depending on host and DNS settings, one of the above may work while the other will present the XSS errors.

Additional Information

NX_LOCAL_SERVLET_SERVER_URL and the NX_SERVLET_SERVER_URL comparison in the NX.env.

Attachments

Feedback

thumb_up Yes

thumb_down No