nv-l
[Top] [All Lists]

[nv-l] cross-site scripting exposure

To: nv-l@lists.tivoli.com
Subject: [nv-l] cross-site scripting exposure
From: "Chris Coulson" <ccoulson@ca.ibm.com>
Date: Thu, 20 Nov 2003 14:55:30 -0500
Delivery-date: Thu, 20 Nov 2003 20:04:26 +0000
Envelope-to: nv-l-archive@lists.skills-1st.co.uk
Reply-to: nv-l@lists.us.ibm.com
Sender: owner-nv-l@lists.us.ibm.com
I have NetView V7.1.3 on AIX 5.1.  I was just informed by my AIX Server
support people that a security scan has just identified the following
exposure:

 [HTTP/8080/TCP] Server is an enabling vector for cross-site scripting
exposure in clients [trace-1]

Currently, we 3 http servers on this device:
   1. For the TREND Application - on port 80 (defaults to port 80)
   2. IBM HTTP server on port 85 -  but it is down right now. It was taken
   down.
   3. NetView on port 8080

CERT says there is no fix for the exposure, but the server can disable
scripting. I don't know if scripting enabled or disabled will affect
NetView.

Has anyone been flagged with this exposure?

We never use the Web Server function to access NetView.  Is there a way to
correct this security exposure?

Thanks,
Chris Coulson
ccoulson@ca.ibm.com




<Prev in Thread] Current Thread [Next in Thread>

Archive operated by Skills 1st Ltd

See also: The NetView Web