Products | Versions |
---|---|
TIBCO Managed File Transfer Command Center | 8.2.1 and below |
Description
The affected component has a reflected XSS vulnerability such that an attacker could craft a URL that will execute arbitrary commands on the affected system. If the attacker convinces an authenticated user to enter or click on the URL the commands will be executed on the affected system.
Impact
The impact of this vulnerability includes the possibility that an attacker can gain access to the session ID of the affected user's session and take any action the affected user has privilege to perform.
The workaround for this issue is to update the httpparamchecking.xml file:
cd <MFT-Install>/server/webapps/cfcc/WEB-INF
copy httpparamchecking.xml httpparamchecking.xml.orig
edit httpparamchecking.xml
Make the following two changes:
1. Change lines 63-168 (Approx) Add "|%7C"
: Here is a generic change command you can execute.
change "#60;|%3C)" to "#60;|%3C|%7C)"
2. Add the following line after line 62 ( <!-- Checking javascript eventhandler, <... EventHandler=... -->)
<regexvalue>(?s).*(<|"|'|&lt;|&#x3C;|&#60;|%3C|%7C).*alert.*</regexvalue>
3. Restart the MFT Server.
Repeat this procedure for all Command Center and Internet Server instances.