=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2008/VULN317
_____________________________________________________________________

DATE                      : 01/09/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Novell User Application,
                             Novell Identity Manager Roles Based
                                                 Provisioning Module.

======================================================================
http://www.novell.com/support/viewContent.do?externalId=7001157&sliceId=1
______________________________________________________________________

Cross-Site Scripting vulnerability in the User Application

This document (7001157) is provided subject to the disclaimer at the end 
of this document.
Environment
Novell User Application 3.0.1
Novell User Application 3.5.0
Novell User Application 3.5.1
Novell Identity Manager Roles Based Provisioning Module 3.6.0
Novell Identity Manager Roles Based Provisioning Module 3.6.1


Situation

Cross-Site Scripting vulnerability has been discovered in the current
releases of the Novell User Application and Novell Identity Manager
Roles Based Provisioning Module.

For more information about Cross-Site Scripting please see the
Additional Information Area.


Resolution

The fix for Novell User Application 3.0.1 is in the IDM User Application
301 Field Patch R (UA301R) or newer found at
http://download.novell.com/patch/finder/


The fix for Novell User Application 3.5.0 is in the IDM User Application 
350 Field Patch AD (UA350AD) or newer found at
http://download.novell.com/patch/finder/


The fix for Novell User Application 3.5.1 is in the IDM User Application
351 Field Patch V (UA351V) or newer found at
http://download.novell.com/patch/finder/


The fix for Novell Identity Manager Roles Based Provisioning Module
3.6.0 is in the IDM Roles Based Provisioning Module 360 Field Patch C
(UA360C) or newer found at http://download.novell.com/patch/finder/


The fix for Novell Identity Manager Roles Based Provisioning Module
3.6.1 is in the IDM Roles Based Provisioning Module 361 Field Patch A
(UA361A) or newer found at http://download.novell.com/patch/finder/


Status

Security Alert


Additional Information

A definition of Cross-Site Scripting according to http://www.webopedia.com
(http://www.webopedia.com/TERM/X/XSS.html):

"An abbreviation of cross-site scripting. XSS is a security breach that
takes advantage of dynamically generated Web pages. In an XSS attack, a
Web application is sent with a script that activates when it is read by
an unsuspecting user’s browser or by an application that has not
protected itself against cross-site scripting. Because dynamic Web sites
rely on user input, a malicious user can input malicious script into
the page by hiding it within legitimate requests. Common exploitations
include search engine boxes, online forums and public-accessed blogs.
Once XSS has been launched, the attacker can change user settings,
hijack accounts, poison cookies with malicious code, expose SSL
connections, access restricted sites and even launch false
advertisements. The simplest way to avoid XSS is to add code to a Web
application that causes the dynamic input to ignore certain command
tags.

Scripting tags that take advantage of XSS include <SCRIPT>, <OBJECT>,
<APPLET>, <EMBED> and <FORM>. Common languages used for XSS include
JavaScript, VBScript, HTML, Perl, C++, ActiveX and Flash.

Cross-site scripting also is referred to as malicious tagging and
sometimes abbreviated as CSS, though CSS is more commonly used as an
abbreviation for cascading style sheets. "


Document

Document ID:	7001157
Creation Date:	08-14-2008
Modified Date:	08-29-2008
Novell Product:	Identity Manager


Disclaimer

The Origin of this information may be internal or external to Novell.
Novell makes all reasonable efforts to verify this information. However,
the information provided in this document is for your information only.
Novell makes no explicit or implied claims to the validity of this
information.
Any trademarks referenced in this document are the property of their
respective owners. Consult your product manuals for complete trademark
information.

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================