nv-l

[nv-l] cross-site scripting exposure

2003-11-20 15:04:26
Subject: [nv-l] cross-site scripting exposure
From: "Chris Coulson" <ccoulson AT ca.ibm DOT com>
To: nv-l AT lists.tivoli DOT com
Date: Thu, 20 Nov 2003 14:55:30 -0500
I have NetView V7.1.3 on AIX 5.1.  I was just informed by my AIX Server
support people that a security scan has just identified the following
exposure:

 [HTTP/8080/TCP] Server is an enabling vector for cross-site scripting
exposure in clients [trace-1]

Currently, we 3 http servers on this device:
   1. For the TREND Application - on port 80 (defaults to port 80)
   2. IBM HTTP server on port 85 -  but it is down right now. It was taken
   down.
   3. NetView on port 8080

CERT says there is no fix for the exposure, but the server can disable
scripting. I don't know if scripting enabled or disabled will affect
NetView.

Has anyone been flagged with this exposure?

We never use the Web Server function to access NetView.  Is there a way to
correct this security exposure?

Thanks,
Chris Coulson
ccoulson AT ca.ibm DOT com




<Prev in Thread] Current Thread [Next in Thread>