Wireless Access

During a pen test we have found Airwave to be susceptible to the CVE-2002-0504 cross-site scripting vulnerability. Has anyone else come across this? Is Citrix NFuse used in Airwave?

Original release date:08/12/2002
Last revised:09/05/2008
Source: US-CERT/NIST
Overview
Cross-site scripting vulnerability in Citrix NFuse 1.6 and earlier does not quote results from the getLastError method, which allows remote attackers to execute script in other clients via the NFuse_Application parameter to (1) launch.jsp or (2) launch.asp.

What version of AirWave was this tested agains?  And what's the full name of the tool used for testing?  AirWave does not utilize any Citrix NFuse packages, but it may be part of a shared library that's default on a CentOS installation.  We'll look into this to see if it is relevant.

Version: 7.4.2

I'm not certain of the tool that was used. I have asked our security team, and I will post it here once they have replied.

Are you sure it was run against 7.4.2?  The latest release is AMP 7.6.2 (posted 2 weeks ago).  That's 2 full release higher than 7.4.2 (nearly 2 year old code).

yes, it's 7.4.2

we are upgrading soon. The version we are on doesn't recognize the RAP3 very well.

The RAP3 is a newer AP which may have firmware that wasn't supported in AMP 7.4.2.

To give you an idea, 7.4.2 was released in November 2011, and the RAP3 was released around July 2012 (this matches closer to AMP 7.5.5).  You're options for RAP3 support in AMP are to either upgrade to the last release of 7.5 (7.5.7) which gets you the firmware support or to the latest release: 7.6.2 which may have some fixes.  If you're using the RAP3 in an Aruba Instant state, then you'll want to aim for 7.6.2.

Some more notes:

7.6 was released in November 2012, with the latest patch (7.6.2) published last month (January 2013).  Based on customer feedback, the release has been very stable.

Nessus Plugin ID 14626