When running Web Agent and when the protected resources has a "
character in the query part of the URL, then arbitrary code can be
executed in the login.fcc page if the user use Internet Explorer
browser. This issue cannot be reproduced with other browser.
This seems to be an issue in IE (1).
In the Web Agent ACO, set the following Parameter :
fcchtmlencoding to yes (2)
to solve this vulnerability introduced by the Internet Explorer
IE URI Encoding Behavior Facilitates XSS Attacks, Researchers Say
"Internet Explorer (IE) doesn't encode double quote characters (")
in the query part of the uniform resource identifier (URI)," Rob
Rachwald, Imperva's director of security strategy, said in a blog
"This behavior, besides being non standard (as stated by RFC 3986
[the Internet Engineering Task Force memorandum describing the
generic URI syntax] and implemented by other browsers including
Chrome or Firefox) may expose IE users to reflected XSS attacks,"
Help Prevent Attacks
To prevent cross-site scripting attacks against the web agent FCC
pages, use HTML encoding to ensure that your FCC variable data is
HTML encoding ensures that the characters are treated as their literal
value and not as HTML syntax. Encoding ensures that the damaging
cross-site scripting syntax is rendered as literal text as it must
appear and that the browser does not execute the code while rendering
the HTML form. You can encode all the syntax that could be misused
during an attack.
The fcchtmlencoding parameter instructs an agent to apply an HTML
encoding algorithm to all the values inserted into the FCC variables
that have the following syntax:
If the characters that are traditionally blocked are necessary in the
FCC data, then enable the fcchtmlencoding parameter.
Specifies whether the HTML encoding is enabled to prevent Cross-Site
Scripting attacks against web agent FCC pages. This parameter does not
block any characters.
Values: Yes and No.
The fcchtmlencoding parameter applies to all the variable
substitutions for all the FCC forms. An agent using this parameter can
serve one or more FCC forms