Resolve QBE.EQ.REF_NUM Cross Site Scripting (XSS) vulnerability
search cancel

Resolve QBE.EQ.REF_NUM Cross Site Scripting (XSS) vulnerability


Article ID: 36172


Updated On:


CA Service Management - Service Desk Manager CA Service Desk Manager


A CA Service Desk Manager (CA SDM) installation might be susceptible to reflected Cross Site Scripting (XSS) vulnerabilities. 

Reflected attacks are those where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other web site. When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable web site, which reflects the attack back to the user s browser. The browser then executes the code because it came from a "trusted" server. Reflected XSS is also sometimes referred to as "Non-Persistent or Type-II XSS".


Release: SDMU0M99000-14.1-Service Desk Manager-Full License
Component:  CA Service Desk Manager


The correction to this problem is delivered in Cumulative #1 patch for CA SDM 12.9 and provides set of validation patterns that can be added in 'web.cfg'.  It also introduces a new environmental NX variable 'NX_VALIDATE_REQUEST_PARAMETER'.

NOTE: For CA SDM 14.1 release and later, there is no special patch required as the above support is already available from 14.1 GA release and above. More information about this for 14.1 is available here  Once this configuration is done, continue from Step#2 below.

1.  Follow Step# 35 of the Post Installation steps for CAM SDM 12.9 Cumulative #1 patch to enable the above option and add the needed validation parameters to the web.cfg file.

2.  In addition to the validation patterns provided already in CA SDM 12.9 Cumulative #1 patch, we are suggesting for the addition of a new validation pattern as below:

Windows_SecureValidator.NumberPercentQuestion ^[0-9%?]*$

3.  To validate the parameter as an additional parameter, the following line is also required to be added to the web.cfg file:

SecureParameter.QBE.EQ.REF_NUM NumberPercentQuestion

Additional Information

a.  If the REF_NUM has a different format than the default out the box format, the validation pattern might need to be updated to accommodate the custom format. 

b.  For securing any other parameter in the CA SDM URL, add that parameter to the web.cfg with required validation pattern (if not already present in the web.cfg). New Validation Patterns can be also be added, if required.


Additional information on Cross Site Scripting Vulnerabilites in SDM, and the NX_VALIDATE_REQUEST_PARAMETER is available here