How to address Cross Site Scripting Security vulnerability on satellite 5.7 after running security scan ?

Solution Verified - Updated -

Issue

  • Security scan on application reports this "cross site scripting (XSS)" vulnerability.
URL's with issue - 
https://<SatelliteServer_FQDN>/rhn/systems/PhysicalList.do       list_1680466951_oldfilterval (Parameter)
https://<SatelliteServer_FQDN>/rhn/systems/VirtualSystemsList.do         VirtualSystemsList.do (Page)

Vulnerability Description:  
It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user.

Possible Resolution Description:
There are several mitigation techniques -
[1] Strategy: Libraries or Frameworks
Use a vetted library or framework that does not allow this weakness or provides constructs that make it easier to avoid.
[2] Strategy: Parameterization
If available, use structured mechanisms that automatically enforce separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this at every point where output is generated.
[3] Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks.
[4] Strategy: Output Encoding
If you need to use dynamically-generated query strings or commands in spite of the risk, properly quote arguments, and escape any special characters within those arguments.
[5] Strategy: Input Validation
Assume all input is malicious. Use an ''accept known good'' input validation strategy: a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on detecting for malicious or malformed inputs with a blacklist. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

Production - On Satellite Server
  • Reports this vulnerability every time the scan runs.

Environment

  • Red Hat Satellite or Proxy 5.7

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content