|
Issue:
We're running Web Agent and when the protected resources has a "
character in the query part of the URL, then arbitrary code can be
executed in the login.fcc page if the user use Internet Explorer
browser. This issue cannot be reproduced with other browser.
This seems to be an issue in IE:
https://www.pcworld.com/article/248408/ie_uri_encoding_behavior_facilitates_xss_attacks_researchers_say.html
How can we solve it ?
Resolution:
In the Web Agent ACO, set the following Parameter :
fcchtmlencoding to yes
to solve this vulnerability introduced by the Internet Explorer
behavior.
|