Guest

Preview Tool

Cisco Bug: CSCur52719 - webvpn href with javascript function - arg ' incorrectly rewritten to \'

Last Modified

Apr 16, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.1(4.1) 9.1(4.6) 9.1(5) 9.1(5.10) 9.1(5.16) 9.1(5.19)

Description (partial)

Symptom:
When accessing Oracle Forms app, after going to a link the Home and Log-out buttons are not working.

The URL for the button is rewritten incorrectly - ' are escaped with \:

Original:
javascript:_submitNav('DefaultFormName','https%3A//oracle.forms/OA_HTML/OA.jsp%3F_rc%3DFNDPORTALRELEASEAM%26_ri%3D0%26retainAM%3DN%26_ti%3D1383373131%26oapc%3D6%26menu%3DY%26oas%3D5iNPBk5MUP4wzfe6XTM3Mg..')

Rewritten:
javascript:_submitNav(\'DefaultFormName\',\'https%3A/oracle.forms%3A443/OA_HTML/OA.jsp%3F_rc%3DFNDPORTALRELEASEAM%26_ri%3D0%26retainAM%3DN%26_ti%3D1383373131%26oapc%3D6%26menu%3DY%26oas%3D5iNPBk5MUP4wzfe6XTM3Mg..\')


It can affect other web applications using href with javascript function as destination and using ' as parameter delimiter. E.g.:

<a href="javascript:selectModule('/portal/intertest, 'intertest');"

rewritten to:

<a href="javascript:selectModule(\'/portal/intertest\', \'intertest\');"

Conditions:
webvpn
Oracle Forms application.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.