Websense Logo
Possible cross-site scripting (XSS) condition in the username field of the Web Reporting Tools portal page
Article Information
Article #: 1840 Last Review: 18-Apr-2008
NOTE Please refer to the notice at the end of this article for more information pertaining to support of third party software.
Article
Important Information
Prerequisites:

N/A

Notes:

N/A

Warnings:

N/A

Problem Description:

When a user logs on to the Web Reporting Tools portal with an invalid username that contains a quotation mark ("), a portion of that username may appear in the body of the logon error page.

This occurs only in version 6.3.x of the Websense Reporting Tools.

The security threat level from this issue has been deemed to be Low.

Websense, Inc. is grateful to Dave Lewis, from Liquidmatrix.org, for reporting this issue.

Error Messages: (Detailed)

N/A

Resolution:

A Hotfix for this issue is available for Websense Enterprise and Web Security Suite version 6.3.1. To download the Hotfix:

  1. Log on to: mywebsense.com
    A username and password is required.
  2. Locate and click the View Patches link.
    The Websense Patches web page displays.
  3. From the drop down lists, select the following options:

    • Version: 6.3.1
    • Product: Websense Enterprise
    • Operating System: Windows 2000/2003
    • Integration: (choose any integration)

  4. From the Hotfix list presented, locate: Delegated Admins unable to access Web Reporting Tools and Intermittent RTA errors
  5. Click the associated Download link and follow the on-screen prompts.

To install the Hotfix, complete the following steps:

  1. Navigate to the C:\Program Files\Websense\webroot\cgi-bin\ directory and backup the following files:

    • WsCgiLogin.exe
    • WsCgiLib.dll

  2. Unzip the Hotfix to a temporary directory.
  3. From the temporary directory, move the WsCgiLogin.exe and WsCgiLib.dll files to:
    C:\Program Files\Websense\webroot\cgi-bin\

    The Hotfix is now applied.

Related Articles:

N/A

Keywords:

XSS, cross-site scripting, security, vulnerability, Explorer, Reporting Tools, login, log in, log on, logon, username, quotation mark, portal, Websense Enterprise, Websense Web Security Suite, Reporting
Documentation References
Websense Documentation:

  • N/A

3rd Party Documentation:

N/A

NOTICE In the course of providing technical support for our own products, we find that we are sometimes asked to provide information with respect to the operation of third-party products and the interoperability of those products with Websense products. We may elect to provide information regarding third-party products as a courtesy to our customers, but because the information relates to non-Websense products, the information may not be complete or accurate and cannot be warranted or guaranteed in any way. Websense does not represent that it has any expertise with respect to non-Websense products and will not be responsible in any way for claims arising from our customers' use of third-party products, regardless of whether Websense has provided any information or support relating to those products.
Websense Product Data
Product Area(s):
WSE 6.3.1
WSS 6.3.1
Product Components Affected: Reporting
Integration Component: ALL
Platform: Windows
Client OS: N/A
Article Feedback
How well did this Knowledge Base entry answer your question?
How can this answer be improved? (Maximum 2,000 characters)
Email Address (optional):
By clicking Send, you agree to have read and accepted the terms of use for your information in our Online Privacy Policy.


© 2008 Websense, Inc. All Rights Reserved.