How to resolve QBE.EQ.REF_NUM Cross Site Scripting (XSS) vulnerability with CA Service Desk Manager 12.9/14.1 URL?

book

Article ID: 36172

calendar_today

Updated On:

Products

SUPPORT AUTOMATION- SERVER CA Service Desk Manager - Unified Self Service KNOWLEDGE TOOLS CA Service Management - Asset Portfolio Management CA Service Management - Service Desk Manager

Issue/Introduction

PROBLEM

A CA Service Desk Manager (CA SDM) installation might be susceptible to reflected Cross Site Scripting (XSS) vulnerabilities. 

 

BACKGROUND

Reflected attacks are those where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other web site. When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable web site, which reflects the attack back to the user s browser. The browser then executes the code because it came from a "trusted" server. Reflected XSS is also sometimes referred to as "Non-Persistent or Type-II XSS".

 

SOLUTION

The correction to this problem is delivered in Cumulative #1 patch for CA SDM 12.9 and provides set of validation patterns that can be added in 'web.cfg'.  It also introduces a new environmental NX variable 'NX_VALIDATE_REQUEST_PARAMETER'.

NOTE: For CA SDM 14.1 release, there is no special patch required as the above support is already available from 14.1 GA release and above. More information about this for 14.1 is available here  Once this configuration is done, continue from Step#2 below.

 

1.  Follow Step# 35 of the Post Installation steps for CAM SDM 12.9 Cumulative #1 patch to enable the above option and add the needed validation parameters to the web.cfg file.

2.  In addition to the validation patterns provided already in CA SDM 12.9 Cumulative #1 patch, we are suggesting for the addition of a new validation pattern as below:

Windows_SecureValidator.NumberPercentQuestion ^[0-9%?]*$

3.  To validate the parameter as an additional parameter, the following line is also required to be added to the web.cfg file:

SecureParameter.QBE.EQ.REF_NUM NumberPercentQuestion

 

Notes:

a.  If the REF_NUM has a different format than the default out the box format, the validation pattern might need to be updated to accommodate the custom format. 

b.  For securing any other parameter in the CA SDM URL, add that parameter to the web.cfg with required validation pattern (if not already present in the web.cfg). New Validation Patterns can be also be added, if required.

Environment

Release: SDMU0M99000-14.1-Service Desk Manager-Full License
Component: