Hi @,
we've build a new VDI environment, connection broker internally and an internet facing security server
for users who want to connect from the the home office.
The solution works fine so far and the users are able to connect perfectly. Our security guys checked the server
for vulnerabilities and found some open security issues like:
THREAT:
Web Server Vulnerable to Cross-Site Scripting attacks.
Web Server Vulnerable to Redirection Page Cross-Site Scripting Attacks
I usually would patch those issues on a standart IIS or Apache/Tomcat. How are those "issues" handled on the integrated VDM webserver?
Cheers & have a nice weekend, Rod
Hi Rod,
Are you able to be more specific? Please feel free to send me a direct message.
Hi mpryor,
sure, regarding:
Web Server Vulnerable to Cross-Site Scripting Attacks
THREAT:
Your Web server does not filter script embedding from links displayed on a server's Web site.
A malicious user can exploit this vulnerability to cause JavaScript commands or embedded scripts to be executed by any user who clicks on the hyperlink. Upon
clicking the hyperlink, your Web server will generate an error message including the specified or embedded script. The specified or embedded script is executed in
the client's browser and treated as content originating from the target server returning the error message (even though the scripting may have originated from
another site entirely).
IMPACT:
By exploiting this vulnerability, malicious scripts can be executed in the client's browser.
SOLUTION:
Any Web server may be affected by this vulnerablity. To prevent cross-site scripting attacks from occuring, web developers should use static pages whenever
possible and sanitize input / output.
The following vendors provided a patches at the web server level. See below for a list of patches for some specific Web servers. If this information does not apply
to your Web server, contact your Web server vendor. If your web server does not support filtering please have your web developers resolve this issue at the
application level.
This issue is fixed in Sun ONE / iPlanet Web Server 4.1 Service Pack 12 and above. The latest service pack is available for download from Sun ONE Web Server
Enterprise Edition 4.1 Service Pack 13 (http://wwws.sun.com/software/download/products/3f8472da.html).
For Microsoft IIS Web server, apply the cumulative patch described in Microsoft Security Bulletin MS02-018
(http://www.microsoft.com/technet/security/bulletin/MS02-018.mspx). No additional service packs are planned for Windows NT 4.0. IIS 5.0 fixes will be included
in Windows 2000 Service Pack 3. IIS 5.1 fixes will be included in Windows XP Service Pack 1.
Lotus Domino had this issue with Domino R5 Web server. Check the Lotus advisory SPR# JCHN4V2HUY
For IBM Websphere, please refer to websphere-faultactor-xss (30055) (http://xforce.iss.net/xforce/xfdb/30055).
My first instinct is to reply 'wait for an updated release from us' but I can't give you a definitive answer on our policy regarding thirdparty software - I'll seek an official answer on whether we support patching the bundled tomcat instance, watch this space.
Any updates here? Our security team doesn't want to allow VDM through the firewall because of these vulnerabilities... so it's put VDI at a bit of a standstill.
it has been three months now, and still no offical reply from VMware regarding this vunerability
Tom Howarth
VMware Communities User Moderator
Thanks for the ping Tom, I'd lost track of this thread. VDM 2.1.1, which was released at the end of October 2008, has upgraded the included version of Tomcat to 5.5.26. Several customers have reported that their static analysis tools no longer return warnings against the updated version.