Cross Site Scripting/XSS manipulation exiting error during PDMExport

search cancel

Cross Site Scripting/XSS manipulation exiting error during PDMExport

book

Article ID: 241433

calendar_today

Updated On:

Products

CA Service Desk Manager CA Service Management - Service Desk Manager

Issue/Introduction

When attempting to invoke the Export function in Service Desk Manager, the following message and prompts presents

Changes were made per the existing documentation Securing CA SDM from Cross-Site Scripting Vulnerabilities. Affected SDM instance is a standalone server with no other SDM Servers involved.

Environment

Release : 17.3

Component : SDM - Vulnerability

Cause

The NX.env variable NX_LOCAL_SERVLET_SERVER_URL has been configured to use a host name in all caps, but should be lower case.

Resolution

First, verify if the problem is the setting in the NX_LOCAL_SERVLET_SERVER_URL by setting it with the direct IP address of the target server, ie:

@NX_LOCAL_SERVLET_SERVER_URL=http://###.###.###.###:8080

If the export works with the direct IP address, the problem is with the DNS being unable to resolve the hostname being presented correctly. A common reason is that the DNS is being case sensitive, ie:

@NX_LOCAL_SERVLET_SERVER_URL=http://SDM-SERVER.EXAMPLE.COM:8080

@NX_LOCAL_SERVLET_SERVER_URL=http://sdm-server.example.com:8080

Depending on host and DNS settings, one of the above may work while the other will present the XSS errors.

Additional Information

NX_LOCAL_SERVLET_SERVER_URL and the NX_SERVLET_SERVER_URL comparison in the NX.env.

Feedback

thumb_up Yes

thumb_down No