[nv-l] cross-site scripting exposure

To:	nv-l@lists.tivoli.com
Subject:	[nv-l] cross-site scripting exposure
From:	"Chris Coulson" <ccoulson@ca.ibm.com>
Date:	Thu, 20 Nov 2003 14:55:30 -0500
Delivery-date:	Thu, 20 Nov 2003 20:04:26 +0000
Envelope-to:	nv-l-archive@lists.skills-1st.co.uk
Reply-to:	nv-l@lists.us.ibm.com
Sender:	owner-nv-l@lists.us.ibm.com

I have NetView V7.1.3 on AIX 5.1.  I was just informed by my AIX Server
support people that a security scan has just identified the following
exposure:

 [HTTP/8080/TCP] Server is an enabling vector for cross-site scripting
exposure in clients [trace-1]

Currently, we 3 http servers on this device:
   1. For the TREND Application - on port 80 (defaults to port 80)
   2. IBM HTTP server on port 85 -  but it is down right now. It was taken
   down.
   3. NetView on port 8080

CERT says there is no fix for the exposure, but the server can disable
scripting. I don't know if scripting enabled or disabled will affect
NetView.

Has anyone been flagged with this exposure?

We never use the Web Server function to access NetView.  Is there a way to
correct this security exposure?

Thanks,
Chris Coulson
ccoulson@ca.ibm.com

<Prev in Thread]	Current Thread	[Next in Thread>
[nv-l] cross-site scripting exposure, Chris Coulson <= Re: [nv-l] cross-site scripting exposure, Leslie Clark

Previous by Date:	Re: [nv-l] Where did NetView Go ???, Alan E. Hennis
Next by Date:	[nv-l] Marco Rossi/Italy/IBM is out of the office., Marco Rossi
Previous by Thread:	[nv-l] Router Smartsets, nraaman
Next by Thread:	Re: [nv-l] cross-site scripting exposure, Leslie Clark
Indexes:	[Date] [Thread] [Top] [All Lists]