000036181 - 'Unsafe characters detected in URL parameters. Possible XSS attack.' accessing Dashboards in version 7.0.2+ of RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Apr 3, 2018Last modified by RSA Customer Support Employee on Aug 7, 2020
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000036181
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.2+
 
IssueAfter upgrading RSA Identity Governance & Lifecycle to 7.0.2 or higher from a version prior to 7.0.2, accessing user Dashboards result in the following errors:
 
The request could not be handled
 


Unable to create page for page ID
"<name of page being accessed>"



Unsafe characters detected in URL parameters. Possible


XSS attack.

 

User-added image 


 
CauseThis issue occurs when using a bookmark of a Dashboard that was saved prior to 7.0.2. Starting in 7.0.2 security was increased for Cross-Site Scripting (XSS). The format of the URL saved in the bookmark is now flagged as a possible XSS attack. The format that causes this behavior are '+' signs in the URL.

For example, the following bookmarked URL in 6.9.1 brings the user successfully to their dashboard page:
IPaddress:Port/aveksa/main?ReqType=GetPage&PageID=HomeTab_DashboardTab_Terminated+Password+Vault+Reviewers_DashboardDisplayPageData


Starting in 7.0.2 and higher, the same URL would fail and flag a potential XSS attack. To resolve this problem, URLs in version 7.0.2 or higher are stripped of any '+' signs as in the example below: 
IPaddress:Port/aveksa/main?ReqType=GetPage&PageID=HomeTab_DashboardTab_TerminatedPasswordVaultReviewers_DashboardDisplayPageData


Because an RSA Identity Governance & Lifecycle patch does not modify user bookmarks, the older version of the URL is accessed when using the bookmark and the potential XSS risk is flagged.
 
ResolutionFor each Dashboard that has this issue, delete the old bookmark that accesses that Dashboard and create a new bookmark:
  1. Delete the problematic bookmark (browser dependent.)
  2. Login to the RSA Identity Governance & Lifecycle user interface.
  3. Navigate to the Dashboard that was no longer reachable via the bookmark. Note the Dashboard is now accessible and the URL has no '+' signs. This is the URL format required for 7.0.2 and above.
  4. Save the bookmark (browser dependent.)
  5. Access the bookmark and note that the Dashboard is now accessible.

 

Attachments

    Outcomes