Alcatel-

Alcatel-Lucent Security Advisory No. SA0044

SA0044 Ed. 03
03
Cross site scripting vulnerability in OmniVista 4760

Summary
A cross site scripting vulnerability has been discovered in OmniVista 4760. It only impacts the application’s
web pages.

References
Alcatel-Lucent vulnerability number VU-110203-1
Alcatel-Lucent change request crms00325974

Affected products
OmniVista 4760 all versions.
Business integrated Communication Solution (BiCS) all versions prior to R2.3: BiCS includes a vulnerable
version of OmniVista 4760.

Not affected products

Business integrated Communication Solution (BiCS) R2.3: BiCS includes an immune version of OmniVista
4760.

Technical context
The OmniVista 4760 Network Management solution can be accessed either through a heavy client –installed
on the administrator’s workstation- or by downloading a lightweight client over the company’s LAN from the
OmniVista 4760 embedded HTTP server.
This HTTP server presents a home page at http://<omnivista_4760_IP_address>/ that gives access to the Web
directory application and the configuration lightweight client application.

Description of the vulnerability

Cross site scripting vulnerabilities are present in the OmniVista 4760 home page and in the Web directory
application. They enable an attacker to perform local (client-side) actions in the context of the invoking user.
The action is supplied to the victim through a crafted link (URL) contained in an email or clicked on a
malicious web site.

Impacts
Normal access to the configuration/save-restore page does not create a risk. It is only when these pages are
visited as the result of following a crafted link that the fraudulent local action occurs. Typical actions may result
in disclosure of information contained in cookies: an authenticator (login/password) or other personal
information.
This vulnerability doesn’t directly impact the communication functions of the managed OmniPCX Enterprise or
OmniPCX Office systems.

Software Versions and fixes

OmniVista 4760
Corrective for this vulnerability is available on the Business Partner web site in the section “Technical Support
> Software Download” and the installation procedure is available on the same page:

Security Advisory template v.13

OmniVista 4760 R5.1: install Patch5 for version 5.1.06.03.c_Patch4 (MD5 checksum
e3ab8d0a219af02f27d1b2d4ae6f90df)
OmniVista 4760 R5.2: install Patch1 for version R5.2.01.03.d (MD5 checksum
5f094d0efa70d4bc327bafeba44da640)
OmniVista 4760 systems prior to release R5.1 should be upgraded to the latest release and have the patch
installed.
Alcatel-Lucent Business integrated Communication Solution
BiCS R2.1.1, R2.2, R2.2.1: install on the OmniVista 4760 virtual machine the patch
4760_Patch5_For_R510603c_Patch4.zip
BiCS R2.2.2: install on the OmniVista 4760 virtual machine the patch 4760_Patch1_For_R520103d.zip

Mitigations
OmniVista 4760 server is unreachable from the Internet, and on the company’s LAN to anyone but the
properly trained and trusted telephony, system and network administrators.
Telephony administrators performing administrative duties would not follow links received through emails or
browse unsafe web pages from their workstation.
Deployments that only use heavy weight configuration clients or the embedded client running directly on the
OmniVista 4760 server (standalone configuration) are immune.

Workarounds
Implement one or more of the mitigations above.

Discoverer
Devoteam

History
Ed.01 (10jun2011): creation
Ed.02 (27sep2011): Patch published on BPWS
Ed.03 (17oct2011): added BiCS impact information

Security Advisory template v.13