IBM Endpoint Manager - Persistent Cross-Site Scripting







Advisory: Cross-Site Scripting in IBM Endpoint Manager Relay Diagnostics

During a penetration test, RedTeam Pentesting discovered that the IBM
Endpoint Manager Relay Diagnostics page allows anybody to persistently
store HTML and JavaScript code that is executed when the page is opened
in a browser.


Product: IBM Endpoint Manager
Affected Versions:  9.1.x versions earlier than 9.1.1229,
                    9.2.x versions earlier than
Fixed Versions: 9.1.1229,
Vulnerability Type: Cross-Site Scripting
Security Risk: medium
Vendor URL:
Vendor Status: fixed version released
Advisory URL:
Advisory Status: published
CVE:  CVE-2014-6137


IBM Endpoint Manager products - built on IBM BigFix technology - can
help you achieve smarter, faster endpoint management and security. These
products enable you to see and manage physical and virtual endpoints
including servers, desktops, notebooks, smartphones, tablets and
specialized equipment such as point-of-sale devices, ATMs and
self-service kiosks. Now you can rapidly remediate, protect and report
on endpoints in near real time.

(from the vendor's homepage)

More Details

Systems that run IBM Endpoint Manager (IEM, formerly Tivoli Endpoint
Manager, or TEM) components, such as TEM Root Servers or TEM Relays,
typically serve HTTP and HTTPS on port 52311. There, the server or relay
diagnostics page is normally accessible at the path /rd. That page can
be accessed without authentication and lets users query and modify
different information. For example, a TEM Relay can be instructed to
gather a specific version of a certain Fixlet site by requesting a URL
such as the following:

The URL parameter url is susceptible to cross-site scripting. When the
following URL is requested, the browser executes the JavaScript code
provided in the parameter:

The value of that parameter is also stored in the TEM Relay's site list,
so that the embedded JavaScript code is executed whenever the
diagnostics page is opened in a browser:

$ curl

<select NAME="url">

Proof of Concept


Upgrade IBM Endpoint Manager to version 9.1.1229 or

Security Risk

As the relay diagnostics page is typically not frequented by
administrators and does not normally require authentication, it is
unlikely that the vulnerability can be exploited to automatically and
reliably attack administrative users and obtain their credentials.

Nevertheless, the ability to host arbitrary HTML and JavaScript code on
the relay diagnostics page, i.e. on a trusted system, may allow
attackers to conduct very convincing phishing attacks.

This vulnerability is therefore rated as a medium risk.


2014-07-29 Vulnerability identified during a penetration test
2014-08-06 Customer approves disclosure to vendor
2014-09-03 Vendor notified
2015-01-13 Vendor releases security bulletin and software upgrade
2015-02-04 Customer approves public disclosure
2015-02-10 Advisory released

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at

RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0
Dennewartstr. 25-27                       Fax : +49 241 510081-99
52068 Aachen          
Germany                         Registergericht: Aachen HRB 14004
Geschäftsführer:                       Patrick Hof, Jens Liebchen