IBM WebSphere Application Server Multiple CSRF Vulnerabilities
2011-07-22T00:00:00
ID OPENVAS:1361412562310902610 Type openvas Reporter Copyright (c) 2011 SecPod Modified 2019-02-21T00:00:00
Description
The host is running IBM WebSphere Application Server and is
prone to cross-site request forgery vulnerabilities.
###############################################################################
# OpenVAS Vulnerability Test
# $Id: secpod_ibm_was_admin_console_csrf_vuln.nasl 13803 2019-02-21 08:24:24Z cfischer $
#
# IBM WebSphere Application Server Multiple CSRF Vulnerabilities
#
# Authors:
# Shashi Kiran N <nskiran@secpod.com>
#
# Copyright:
# Copyright (c) 2011 SecPod, http://www.secpod.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.902610");
script_version("$Revision: 13803 $");
script_tag(name:"last_modification", value:"$Date: 2019-02-21 09:24:24 +0100 (Thu, 21 Feb 2019) $");
script_tag(name:"creation_date", value:"2011-07-22 12:16:19 +0200 (Fri, 22 Jul 2011)");
script_cve_id("CVE-2010-3271");
script_bugtraq_id(48305);
script_tag(name:"cvss_base", value:"6.8");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_name("IBM WebSphere Application Server Multiple CSRF Vulnerabilities");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (c) 2011 SecPod");
script_family("Web Servers");
script_dependencies("gb_ibm_websphere_detect.nasl");
script_mandatory_keys("ibm_websphere_application_server/installed");
script_xref(name:"URL", value:"http://www-01.ibm.com/software/webservers/appserv/was/");
script_xref(name:"URL", value:"http://secunia.com/advisories/44909");
script_xref(name:"URL", value:"http://xforce.iss.net/xforce/xfdb/68069");
script_xref(name:"URL", value:"http://www.coresecurity.com/content/IBM-WebSphere-CSRF");
script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
script_tag(name:"impact", value:"Successful exploitation will allow remote users to gain sensitive
information and conduct other malicious activities.");
script_tag(name:"affected", value:"IBM WebSphere Application Server (WAS) 7.0.0.13 and prior.");
script_tag(name:"insight", value:"The flaws are due to by improper validation of user-supplied
input in the Global Security panel and master configuration save functionality.
which allows attacker to force a logged-in administrator to perform unwanted actions.");
script_tag(name:"solution", value:"Apply the patch from the referenced advisory.");
script_tag(name:"summary", value:"The host is running IBM WebSphere Application Server and is
prone to cross-site request forgery vulnerabilities.");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"qod_type", value:"remote_banner");
exit(0);
}
include("version_func.inc");
include("host_details.inc");
CPE = "cpe:/a:ibm:websphere_application_server";
if(!vers = get_app_version(cpe:CPE, nofork:TRUE))
exit(0);
if(version_is_less_equal(version:vers, test_version:"7.0.0.13")){
report = report_fixed_ver(installed_version:vers, fixed_version:"7.0.0.14");
security_message(port:0, data:report);
exit(0);
}
exit(99);
{"id": "OPENVAS:1361412562310902610", "type": "openvas", "bulletinFamily": "scanner", "title": "IBM WebSphere Application Server Multiple CSRF Vulnerabilities", "description": "The host is running IBM WebSphere Application Server and is\n prone to cross-site request forgery vulnerabilities.", "published": "2011-07-22T00:00:00", "modified": "2019-02-21T00:00:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902610", "reporter": "Copyright (c) 2011 SecPod", "references": ["http://www.coresecurity.com/content/IBM-WebSphere-CSRF", "http://xforce.iss.net/xforce/xfdb/68069", "http://www-01.ibm.com/software/webservers/appserv/was/", "http://secunia.com/advisories/44909"], "cvelist": ["CVE-2010-3271"], "lastseen": "2019-05-29T18:39:34", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2010-3271"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102340"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:11745", "SECURITYVULNS:DOC:26574"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:C20E52E11FD2CE46B6DA6B37D624455E"]}, {"type": "exploitdb", "idList": ["EDB-ID:17404"]}, {"type": "seebug", "idList": ["SSV:20625"]}, {"type": "openvas", "idList": ["OPENVAS:902610"]}], "modified": "2019-05-29T18:39:34", "rev": 2}, "score": {"value": 7.1, "vector": "NONE", "modified": "2019-05-29T18:39:34", "rev": 2}, "vulnersScore": 7.1}, "pluginID": "1361412562310902610", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ibm_was_admin_console_csrf_vuln.nasl 13803 2019-02-21 08:24:24Z cfischer $\n#\n# IBM WebSphere Application Server Multiple CSRF Vulnerabilities\n#\n# Authors:\n# Shashi Kiran N <nskiran@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902610\");\n script_version(\"$Revision: 13803 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-02-21 09:24:24 +0100 (Thu, 21 Feb 2019) $\");\n script_tag(name:\"creation_date\", value:\"2011-07-22 12:16:19 +0200 (Fri, 22 Jul 2011)\");\n script_cve_id(\"CVE-2010-3271\");\n script_bugtraq_id(48305);\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"IBM WebSphere Application Server Multiple CSRF Vulnerabilities\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 SecPod\");\n script_family(\"Web Servers\");\n script_dependencies(\"gb_ibm_websphere_detect.nasl\");\n script_mandatory_keys(\"ibm_websphere_application_server/installed\");\n\n script_xref(name:\"URL\", value:\"http://www-01.ibm.com/software/webservers/appserv/was/\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/44909\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/68069\");\n script_xref(name:\"URL\", value:\"http://www.coresecurity.com/content/IBM-WebSphere-CSRF\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote users to gain sensitive\n information and conduct other malicious activities.\");\n\n script_tag(name:\"affected\", value:\"IBM WebSphere Application Server (WAS) 7.0.0.13 and prior.\");\n\n script_tag(name:\"insight\", value:\"The flaws are due to by improper validation of user-supplied\n input in the Global Security panel and master configuration save functionality.\n which allows attacker to force a logged-in administrator to perform unwanted actions.\");\n\n script_tag(name:\"solution\", value:\"Apply the patch from the referenced advisory.\");\n\n script_tag(name:\"summary\", value:\"The host is running IBM WebSphere Application Server and is\n prone to cross-site request forgery vulnerabilities.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nCPE = \"cpe:/a:ibm:websphere_application_server\";\n\nif(!vers = get_app_version(cpe:CPE, nofork:TRUE))\n exit(0);\n\nif(version_is_less_equal(version:vers, test_version:\"7.0.0.13\")){\n report = report_fixed_ver(installed_version:vers, fixed_version:\"7.0.0.14\");\n security_message(port:0, data:report);\n exit(0);\n}\n\nexit(99);", "naslFamily": "Web Servers"}
{"cve": [{"lastseen": "2021-02-02T05:45:01", "description": "Multiple cross-site request forgery (CSRF) vulnerabilities in the Integrated Solutions Console (aka administrative console) in IBM WebSphere Application Server (WAS) 7.0.0.13 and earlier allow remote attackers to hijack the authentication of administrators for requests that disable certain security options via an Edit action to console/adminSecurityDetail.do followed by a save action to console/syncworkspace.do.", "edition": 6, "cvss3": {}, "published": "2011-07-18T22:55:00", "title": "CVE-2010-3271", "type": "cve", "cwe": ["CWE-352"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3271"], "modified": "2018-10-10T20:01:00", "cpe": ["cpe:/a:ibm:websphere_application_server:7.0.0.8", "cpe:/a:ibm:websphere_application_server:5.1.1.17", "cpe:/a:ibm:websphere_application_server:5.1.0.5", "cpe:/a:ibm:websphere_application_server:6.0.1.13", "cpe:/a:ibm:websphere_application_server:6.1.0.2", "cpe:/a:ibm:websphere_application_server:7.0.0.3", "cpe:/a:ibm:websphere_application_server:6.1.13", "cpe:/a:ibm:websphere_application_server:6.0.2.19", "cpe:/a:ibm:websphere_application_server:5.0.2.5", "cpe:/a:ibm:websphere_application_server:6.0.1.11", "cpe:/a:ibm:websphere_application_server:3.0", "cpe:/a:ibm:websphere_application_server:6.0.0.1", "cpe:/a:ibm:websphere_application_server:5.1.1.5", "cpe:/a:ibm:websphere_application_server:3.5.3", "cpe:/a:ibm:websphere_application_server:5.1.1", "cpe:/a:ibm:websphere_application_server:3.0.2.1", "cpe:/a:ibm:websphere_application_server:5.1.1.3", "cpe:/a:ibm:websphere_application_server:7.0", "cpe:/a:ibm:websphere_application_server:6.1.6", "cpe:/a:ibm:websphere_application_server:5.0.2", "cpe:/a:ibm:websphere_application_server:7.0.0.7", "cpe:/a:ibm:websphere_application_server:7.0.0.9", "cpe:/a:ibm:websphere_application_server:6.1.0.25", "cpe:/a:ibm:websphere_application_server:5.1.1.9", "cpe:/a:ibm:websphere_application_server:4.0.4", "cpe:/a:ibm:websphere_application_server:5.1.1.16", "cpe:/a:ibm:websphere_application_server:6.0.2.30", "cpe:/a:ibm:websphere_application_server:5.0.2.4", "cpe:/a:ibm:websphere_application_server:6.0.2.2", "cpe:/a:ibm:websphere_application_server:6.0", "cpe:/a:ibm:websphere_application_server:6.1.0.5", "cpe:/a:ibm:websphere_application_server:6.0.2.7", "cpe:/a:ibm:websphere_application_server:5.0.2.16", "cpe:/a:ibm:websphere_application_server:5.0.2.13", "cpe:/a:ibm:websphere_application_server:5.0.2.15", "cpe:/a:ibm:websphere_application_server:6.0.1", "cpe:/a:ibm:websphere_application_server:5.0.2.1", "cpe:/a:ibm:websphere_application_server:5.0.2.10", "cpe:/a:ibm:websphere_application_server:6.0.2.25", "cpe:/a:ibm:websphere_application_server:6.0.2.17", "cpe:/a:ibm:websphere_application_server:6.0.2.31", "cpe:/a:ibm:websphere_application_server:6.1.0", "cpe:/a:ibm:websphere_application_server:5.1.0.4", "cpe:/a:ibm:websphere_application_server:4.0.1", "cpe:/a:ibm:websphere_application_server:6.1.0.3", "cpe:/a:ibm:websphere_application_server:6.0.2.15", "cpe:/a:ibm:websphere_application_server:6.0.2.5", "cpe:/a:ibm:websphere_application_server:5.0.2.3", "cpe:/a:ibm:websphere_application_server:5.0.2.9", "cpe:/a:ibm:websphere_application_server:7.0.0.11", "cpe:/a:ibm:websphere_application_server:6.0.1.2", "cpe:/a:ibm:websphere_application_server:6.0.2.13", "cpe:/a:ibm:websphere_application_server:6.0.2.32", "cpe:/a:ibm:websphere_application_server:3.52", "cpe:/a:ibm:websphere_application_server:4.0.2", "cpe:/a:ibm:websphere_application_server:6.1.0.29", "cpe:/a:ibm:websphere_application_server:5.0.2.8", "cpe:/a:ibm:websphere_application_server:6.0.2.4", "cpe:/a:ibm:websphere_application_server:6.0.2.29", "cpe:/a:ibm:websphere_application_server:5.1.1.12", "cpe:/a:ibm:websphere_application_server:5.0.2.14", "cpe:/a:ibm:websphere_application_server:6.0.2.3", "cpe:/a:ibm:websphere_application_server:6.1.3", "cpe:/a:ibm:websphere_application_server:5.1.1.2", "cpe:/a:ibm:websphere_application_server:6.1.0.7", "cpe:/a:ibm:websphere_application_server:6.0.1.17", "cpe:/a:ibm:websphere_application_server:6.0.1.9", "cpe:/a:ibm:websphere_application_server:5.1.0", "cpe:/a:ibm:websphere_application_server:5.1.1.8", "cpe:/a:ibm:websphere_application_server:6.0.2.1", "cpe:/a:ibm:websphere_application_server:2.0", "cpe:/a:ibm:websphere_application_server:6.0.2.28", "cpe:/a:ibm:websphere_application_server:6.1.5", "cpe:/a:ibm:websphere_application_server:5.1.0.2", "cpe:/a:ibm:websphere_application_server:6.0.2.22", "cpe:/a:ibm:websphere_application_server:6.1.0.1", "cpe:/a:ibm:websphere_application_server:6.0.2.24", "cpe:/a:ibm:websphere_application_server:5.0", "cpe:/a:ibm:websphere_application_server:5.1.1.13", "cpe:/a:ibm:websphere_application_server:3.5", "cpe:/a:ibm:websphere_application_server:7.0.0.2", "cpe:/a:ibm:websphere_application_server:5.1.1.15", "cpe:/a:ibm:websphere_application_server:6.1.0.11", "cpe:/a:ibm:websphere_application_server:6.0.1.15", "cpe:/a:ibm:websphere_application_server:5.0.2.6", "cpe:/a:ibm:websphere_application_server:6.1.0.21", "cpe:/a:ibm:websphere_application_server:6.0.1.7", "cpe:/a:ibm:websphere_application_server:6.1.0.27", "cpe:/a:ibm:websphere_application_server:5.0.2.11", "cpe:/a:ibm:websphere_application_server:6.0.1.3", "cpe:/a:ibm:websphere_application_server:6.0.2", "cpe:/a:ibm:websphere_application_server:6.0.2.6", "cpe:/a:ibm:websphere_application_server:6.0.0.2", "cpe:/a:ibm:websphere_application_server:5.1.1.7", "cpe:/a:ibm:websphere_application_server:5.0.0", "cpe:/a:ibm:websphere_application_server:5.0.1", "cpe:/a:ibm:websphere_application_server:3.0.2.4", "cpe:/a:ibm:websphere_application_server:3.0.21", "cpe:/a:ibm:websphere_application_server:7.0.0.5", "cpe:/a:ibm:websphere_application_server:4.0.3", "cpe:/a:ibm:websphere_application_server:5.1.1.10", "cpe:/a:ibm:websphere_application_server:7.0.0.1", "cpe:/a:ibm:websphere_application_server:5.1.1.6", "cpe:/a:ibm:websphere_application_server:6.1.0.9", "cpe:/a:ibm:websphere_application_server:6.1.0.31", "cpe:/a:ibm:websphere_application_server:6.0.1.5", "cpe:/a:ibm:websphere_application_server:6.1.7", "cpe:/a:ibm:websphere_application_server:6.1.1", "cpe:/a:ibm:websphere_application_server:6.1.0.33", "cpe:/a:ibm:websphere_application_server:6.1.0.12", "cpe:/a:ibm:websphere_application_server:6.0.2.27", "cpe:/a:ibm:websphere_application_server:6.1", "cpe:/a:ibm:websphere_application_server:7.0.0.4", "cpe:/a:ibm:websphere_application_server:6.1.0.0", "cpe:/a:ibm:websphere_application_server:6.0.1.1", "cpe:/a:ibm:websphere_application_server:5.1.1.4", "cpe:/a:ibm:websphere_application_server:6.0.0.3", "cpe:/a:ibm:websphere_application_server:3.0.2", "cpe:/a:ibm:websphere_application_server:5.1.1.11", "cpe:/a:ibm:websphere_application_server:5.0.2.2", "cpe:/a:ibm:websphere_application_server:6.1.0.23", "cpe:/a:ibm:websphere_application_server:3.5.2", "cpe:/a:ibm:websphere_application_server:7.0.0.6", "cpe:/a:ibm:websphere_application_server:5.1.1.1", "cpe:/a:ibm:websphere_application_server:7.0.0.13", "cpe:/a:ibm:websphere_application_server:6.0.2.11", "cpe:/a:ibm:websphere_application_server:3.5.1", "cpe:/a:ibm:websphere_application_server:3.0.2.3", "cpe:/a:ibm:websphere_application_server:6.1.0.19", "cpe:/a:ibm:websphere_application_server:5.1.1.14", "cpe:/a:ibm:websphere_application_server:6.1.0.15", "cpe:/a:ibm:websphere_application_server:6.0.2.23", "cpe:/a:ibm:websphere_application_server:5.1.0.3", "cpe:/a:ibm:websphere_application_server:6.1.0.17", "cpe:/a:ibm:websphere_application_server:3.0.2.2", "cpe:/a:ibm:websphere_application_server:5.0.2.7", "cpe:/a:ibm:websphere_application_server:5.0.2.12", "cpe:/a:ibm:websphere_application_server:6.0.2.9", "cpe:/a:ibm:websphere_application_server:6.1.14"], "id": "CVE-2010-3271", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3271", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:ibm:websphere_application_server:6.0.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.2.31:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.0.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:7.0.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.2.25:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:7.0.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.2.23:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.31:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:7.0.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:3.0.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.2.29:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.1.1.9:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:7.0.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.19:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.1.11:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.1.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.2.15:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.1.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:3.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:7.0.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.0.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.33:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.1.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.0.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.1.1.10:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:4.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:3.0.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:3.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:7.0.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:7.0.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:3.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.2.9:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.23:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:7.0.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.29:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.1.1.15:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.2.11:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.0.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.1.9:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.25:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.2.22:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.0.2.9:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.1.1.16:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.0.2.11:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.1.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:3.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.1.17:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.1.1.17:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.2.19:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.2.24:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:7.0.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.15:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.1.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.17:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.1.1.13:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.21:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.1.1.11:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:7.0.0.13:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.2.27:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.13:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.2.32:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.1.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.1.1.12:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.1.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.0.2.14:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.2.30:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.14:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.0.2.12:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.0.2.16:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.27:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.0.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.0.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.1.15:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:3.0.21:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:3.52:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:3.0.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.0.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:7.0.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.0.2.15:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.0.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:3.0.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.1.1.14:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.2.13:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:3.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.0.2.10:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.0.2.13:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.1.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.1.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.2.17:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.1.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.2.28:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:6.0.1.13:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:5.1.1.2:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2017-09-04T14:20:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-3271"], "description": "The host is running IBM WebSphere Application Server and is\nprone to cross-site request forgery vulnerabilities.", "modified": "2017-09-01T00:00:00", "published": "2011-07-22T00:00:00", "id": "OPENVAS:902610", "href": "http://plugins.openvas.org/nasl.php?oid=902610", "type": "openvas", "title": "IBM WebSphere Application Server Multiple CSRF Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ibm_was_admin_console_csrf_vuln.nasl 7044 2017-09-01 11:50:59Z teissa $\n#\n# IBM WebSphere Application Server Multiple CSRF Vulnerabilities\n#\n# Authors:\n# Shashi Kiran N <nskiran@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow remote users to gain sensitive\ninformation and conduct other malicious activities.\n\nImpact Level: Application\";\n\ntag_affected = \"IBM WebSphere Application Server (WAS) 7.0.0.13 and prior.\";\n\ntag_insight = \"The flaws are due to by improper validation of user-supplied\ninput in the Global Security panel and master configuration save functionality.\nwhich allows attacker to force a logged-in administrator to perform unwanted\nactions.\";\n\ntag_solution = \"Apply the patch from vendor link,\nhttp://www-01.ibm.com/software/webservers/appserv/was/\";\n\ntag_summary = \"The host is running IBM WebSphere Application Server and is\nprone to cross-site request forgery vulnerabilities.\";\n\nif(description)\n{\n script_id(902610);\n script_version(\"$Revision: 7044 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-09-01 13:50:59 +0200 (Fri, 01 Sep 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-07-22 12:16:19 +0200 (Fri, 22 Jul 2011)\");\n script_cve_id(\"CVE-2010-3271\");\n script_bugtraq_id(48305);\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"IBM WebSphere Application Server Multiple CSRF Vulnerabilities\");\n\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 SecPod\");\n script_family(\"Web Servers\");\n script_dependencies(\"gb_ibm_websphere_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/44909\");\n script_xref(name : \"URL\" , value : \"http://xforce.iss.net/xforce/xfdb/68069\");\n script_xref(name : \"URL\" , value : \"http://www.coresecurity.com/content/IBM-WebSphere-CSRF\");\n exit(0);\n}\n\n\ninclude(\"http_func.inc\");\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nCPE = 'cpe:/a:ibm:websphere_application_server';\n\nif( ! vers = get_app_version( cpe:CPE, nofork:TRUE ) ) exit( 0 );\n\n## Checking IBM WebSphere Application Server version 7.0.0.13 and prior\nif(version_is_less_equal(version:vers, test_version:\"7.0.0.13\")){\n report = report_fixed_ver( installed_version:vers, fixed_version:'7.0.0.14' );\n security_message(port:0, data:report);\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-02T07:47:45", "description": "IBM WebSphere Application Server 7.0.0.13 - CSRF Vulnerability. CVE-2010-3271. Webapps exploits for multiple platform", "published": "2011-06-15T00:00:00", "type": "exploitdb", "title": "IBM WebSphere Application Server 7.0.0.13 - CSRF Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-3271"], "modified": "2011-06-15T00:00:00", "id": "EDB-ID:17404", "href": "https://www.exploit-db.com/exploits/17404/", "sourceData": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n Core Security Technologies - CoreLabs Advisory\r\n http://corelabs.coresecurity.com/\r\n\r\n IBM WebSphere Application Server Cross-Site Request Forgery\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: IBM WebSphere Application Server Cross-Site Request Forgery\r\nAdvisory ID: CORE-2010-1021\r\nAdvisory URL: http://www.coresecurity.com/content/IBM-WebSphere-CSRF\r\nDate published: 2011-06-15\r\nDate of last update: 2011-06-15\r\nVendors contacted: IBM\r\nRelease mode: User release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Cross-Site Request Forgery (CSRF) [CWE-352]\r\nImpact: Code execution\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2010-3271\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nWebSphere is IBM's integration software platform. It includes the entire\r\nmiddleware infrastructure --such as servers, services, and tools--\r\nneeded to write, run, and monitor 24x7 industrial-strength, on demand\r\nWeb applications and cross-platform, cross-product solutions. WebSphere\r\nApplication Server is the base for the infrastructure; everything else\r\nruns on top of it [1].\r\n\r\nThe administrative console of IBM WebSphere Application Server is\r\nvulnerable to Cross-Site Request Forgery (CSRF) attacks, which can be\r\nexploited by remote attackers to force a logged-in administrator to\r\nperform unwanted actions on the IBM WebSphere administrative console, by\r\nenticing him to visit a malicious web page.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . IBM WebSphere Application Server 7.0.0.11\r\n . IBM WebSphere Application Server 7.0.0.13\r\n . Older versions are probably affected too, but they were not checked.\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\nContact the vendor for a fix.\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nContact the vendor for a fix. The following are workarounds for this issue.\r\n\r\n6.1. *Server side*\r\n\r\nAccording to OWASP [2], CSRF vulnerabilities can be avoided by checking\r\nthe referrer of the HTTP request and verifying that the request comes\r\nfrom the original site. A potential workaround is thus to set a rule on\r\na Web Application Firewall that checks the referrer of the requests, and\r\nverifies that all the requests to the WebSphere administrative console\r\nare originated from the same site.\r\n\r\n6.2. *Client side*\r\n\r\nAn administrator of WebSphere administrative console could mitigate the\r\nbug by using Firefox and the NoScript add-on; more precisely by making\r\nuse of the ABE [3] (Application Boundaries Enforcer) feature of\r\nNoScript. With ABE it is possible to define rules such as the following:\r\n\r\n/-----\r\nSite *.example.com\r\nAccept from SELF\r\nDeny\r\n- -----/\r\n\r\nThis rule applies to *.example.com; it will allow all the requests made\r\nfrom the same site, and block all the requests directed to *.example.com\r\nbut generated from any other site, avoiding that Firefox sends the\r\nrequest to the server. The syntax of the ABE rules is defined here:\r\nhttp://noscript.net/abe/abe_rules.pdf\r\n\r\n\r\n7. *Credits*\r\n\r\nThis vulnerability was discovered and researched by Francisco Falcon\r\nfrom Core Security Technologies during Bugweek 2010 [4]. Additional\r\nresearch was performed by Alejandro Rodriguez. Publication was\r\ncoordinated by Carlos Sarraute.\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\nThe administrative console (also known as Integrated Solutions Console)\r\nof IBM WebSphere Application Server is vulnerable to Cross-Site Request\r\nForgery (CSRF) [2] attacks, which can be exploited by remote attackers\r\nto force a logged-in administrator to perform unwanted actions on the\r\nIBM WebSphere administrative console, by enticing him to visit a\r\nmalicious web page.\r\n\r\nThe administrative console of IBM WebSphere Application Server includes\r\na standard protection mechanism against Cross-Site Request Forgery,\r\nwhich consists of a token that is included as a hidden field on every\r\n'FORM', named 'csrfid', that is sent to the web server in each 'POST'\r\nrequest performed by the web browser. When the web server receives a\r\n'POST' request, it checks that the 'csrfid' token included in the\r\nparameters of the 'POST' request matches the anti-CSRF token associated\r\nwith the current session. If they do not match, then IBM WebSphere\r\nresponds with an \"'Unauthorized Request'\" message, thus effectively\r\npreventing CSRF.\r\n\r\nHowever, in certain areas of the administrative console, WebSphere\r\nforgets to check the value of the 'csrfid' token when processing 'POST'\r\nrequests, even though the 'csrfid' hidden field is included in every\r\n'FORM', making the application vulnerable to Cross-Site Request Forgery.\r\n\r\nThe vulnerable areas of the WebSphere administrative console include the\r\n'Security > Global Security' panel [6], and the 'Save changes to the\r\nmaster configuration' feature. This makes possible for a remote attacker\r\nto disable the 'Administrative Security', 'Application Security' and\r\n'Java 2 Security' options, and then to save the changes to the\r\nconfiguration, by tricking an IBM WebSphere administrator which is\r\ncurrently logged in to the administrative console to visit a malicious\r\nweb page. Also note that IBM WebSphere 7.0 with Fix Pack 11 did not\r\ninclude a 'csrfid' token for the 'Save changes to the master\r\nconfiguration' feature; Fix Pack 13 introduced it, but anyways it is\r\nignored on the server side when processing a request to save the master\r\nconfiguration.\r\n\r\nThe following HTML code is a Proof-of-Concept of a specially crafted web\r\npage that will leverage the CSRF vulnerability in order to disable the\r\n'Administrative Security', 'Application Security' and 'Java 2 Security'\r\noptions, if a logged-in administrator visits it:\r\n\r\n/-----\r\n<html>\r\n<body>\r\n<iframe id=\"iframe1\" style=\"visibility:hidden\"></iframe>\r\n<iframe id=\"iframe2\" style=\"visibility:hidden\"></iframe>\r\n <script>\r\n //The first request disables \"Administrative security\" and\r\n\"Application security\" options\r\n document.getElementById(\"iframe1\").src =\r\n\"https://<ip>:9043/ibm/console/adminSecurityDetail.do?action=Edit&displayActiveUserRegistry=Repositorios+federados&selectUserRegistry=WIM&activeAuthMechanism=LTPA&apply=Aplicar\";\r\n\r\n //The second request saves the changes in the WebSphere configuration\r\n document.getElementById(\"iframe2\").src =\r\n\"https://<ip>:9043/ibm/console/syncworkspace.do?saveaction=save&directsave=true\";\r\n </script>\r\n</iframe>\r\n</body>\r\n</html>\r\n\r\n- -----/\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n. 2010-11-24:\r\nCore Security Technologies contacts IBM, requesting the proper point of\r\ncontact to report a security vulnerability in IBM WebSphere Application\r\nServer.\r\n\r\n. 2010-11-29:\r\nVendor responds providing the point of contact to report the\r\nvulnerability, and its PGP key to encrypt communications.\r\n\r\n. 2010-12-14:\r\nCore sends an advisory draft, containing the technical details needed to\r\nreproduce the vulnerability. Publication of Core's advisory is\r\ntemporarily set to January 10, 2011.\r\n\r\n. 2010-12-14:\r\nIBM acknowledges the receipt of the technical information.\r\n\r\n. 2010-12-21:\r\nCore asks the vendor whether it was able to reproduce the vulnerability.\r\n\r\n. 2011-01-05:\r\nVendor responds that it was able to reproduce the issue and confirms\r\nthere is a vulnerability. Vendor informs Core that it is still working\r\nthrough the total products affected, that it is multiple products, and\r\nthat this vulnerability is creating real issues on being able to resolve\r\nit. Vendor requests Core an extension on the release date while it\r\ncompletes the full evaluation of risk assessment and remedy production.\r\nVendor expects to have that information in the following 2 weeks.\r\n\r\n. 2011-01-06:\r\nCore responds that it is willing to postpone the publication of its\r\nadvisory. However to take that decision more information about the\r\nvendor's analysis of the vulnerability and its plans for developing a\r\nfix is required. In particular, Core requests a list of all affected\r\nproducts and versions, and also some insight on the difficulties of\r\nfixing this issue. In the meantime, the publication of this advisory is\r\nrescheduled to February 15th, 2011. (No reply received.)\r\n\r\n. 2011-01-31:\r\nSince more than 3 weeks have passed since the last communication, Core\r\nrequests an update on this issue. In particular Core requests to receive\r\ninformation respect to:\r\n\r\n . the vendor's analysis of the vulnerability,\r\n . the vendor's plans for developing a fix,\r\n . a list of affected products and versions.\r\n\r\n. 2011-02-01:\r\nCore reminds the vendor that in case of not receiving an answer, it will\r\npublish its advisory as \"user release\" on the scheduled date (February\r\n15th, 2011).\r\n\r\n. 2011-02-01:\r\nVendor replies that it has asked a status update from the WebSphere team\r\nto convey to Core, and will provide it briefly.\r\n\r\n. 2011-02-08:\r\nCore requests an update on this issue.\r\n\r\n. 2011-02-14:\r\nCore reminds the vendor that the advisory is scheduled to be published\r\non February 15th. Core communicates its willingness to publish the\r\nadvisory as \"coordinated release\" based on concrete feedback from the\r\nvendor.\r\n\r\n. 2011-02-14:\r\nVendor communicates Core that it is working on a statement to provide\r\nfor Core, and that since the PSIRT is a new mechanism within IBM, it is\r\nstill defining the way to provide consistent statements. In the\r\nmeantime, the vendor informs that:\r\n\r\n . The vendor has a potential solution designed and partially\r\nimplemented to fully secure the console. It is in the process of\r\nreviewing the design and the impact to stack products.\r\n . There are an unknown number of stack products affected. WebSphere\r\nApplication Server (WAS) stack products that use the ISC (Integrated\r\nSolutions Console) based console are affected. The vendor is still\r\ngathering the list of products affected, and must determine the impact\r\nof implementing the fix.\r\n . There is a meeting planned to decide on the final solution to be\r\nimplemented and determine the key delivery dates. These decisions will\r\nbe taken in mid March or later.\r\n . The target dates for release reach into Q3 2011.\r\n\r\n. 2011-02-17:\r\nCore replies that it has rescheduled publication of its advisory (for\r\nthe second time) to March 21, 2011, in order to give PSIRT more time to\r\ncome up with concrete responses to the requested information. Core\r\nprovides additional information about its own publication process [5].\r\nWithout additional information, it is difficult for Core to understand\r\nthe reason why users of vulnerable WebSphere software should remain\r\nwithout any solution until Q3 2011.\r\n\r\n. 2011-03-17:\r\nAfter 1 month of silence, the vendor informs Core that IBM's point of\r\ncontact for this issue has changed, and that further communications will\r\nbe handled by the head of IBM's Secure By Design initiative which\r\nincludes the IBM PSIRT.\r\n\r\n. 2011-03-17:\r\nVendor requests Core to postpone the publication of its advisory until\r\nearly October 2011.\r\n\r\n. 2011-03-18:\r\nVendor communicates that since Core hasn't responded to the request\r\n(sent the previous day) of deferring the public disclosure of this\r\nsecurity vulnerability from 21 March to early October 2011, IBM\r\nconsiders that Core agrees.\r\n\r\n. 2011-03-21:\r\nCore answers that October 2011 is well beyond what it considers a\r\nreasonable timeframe to patch the type of bug that it has reported (a\r\nCross-Site Request Forgery). Additionally the vendor didn't provide Core\r\na technical analysis of the bug, explaining the difficulty to patch it\r\n(and why it would take IBM around 10 months to release fixes). The\r\nvendor didn't provide either the requested list of affected products and\r\nversions. According to Core's publication policy, the decision of\r\npostponing the publication of an advisory cannot be taken without\r\ntechnical arguments that justify that decision. This is why Core cannot\r\nagree with IBM's request to postpone publication until October 2011,\r\nunless the requested technical information is provided by the vendor.\r\n(No reply received.)\r\n\r\n. 2011-04-25:\r\nCore communicates the vendor that it has rescheduled the publication of\r\nits advisory to June 14th, 2011. That date corresponds to a 6 month\r\ntimeframe after technical details about this vulnerability were sent to\r\nIBM (on December 14th, 2010), and is considered final. (No reply received.)\r\n\r\n. 2011-06-15:\r\nThe advisory CORE-2010-1021 is published.\r\n\r\n\r\n10. *References*\r\n\r\n[1] IBM WebSphere Application Server:\r\nhttp://www-01.ibm.com/software/webservers/appserv/was/\r\n\r\n[2] Cross-Site Request Forgery (CSRF)\r\nhttp://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29\r\n\r\n[3] Application Boundaries Enforcer (ABE)\r\nhttp://noscript.net/abe/\r\n\r\n[4] The author participated in Core Security's Bugweek 2010 as member of\r\nthe team \"Ex Tester fuErTes and Exploit Testers\".\r\n\r\n[5] Finding bugs and publishing advisories _ the Core Security way\r\nhttp://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Finding_bugs_and_publishing_advisories\r\n\r\n[6] IBM WebSphere Reference, Global Security settings:\r\nhttp://publib.boulder.ibm.com/infocenter/wasinfo/fep/topic/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/usec_secureadminappinfra.html\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://corelabs.coresecurity.com.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies enables organizations to get ahead of threats\r\nwith security test and measurement solutions that continuously identify\r\nand demonstrate real-world exposures to their most critical assets. Our\r\ncustomers can gain real visibility into their security standing, real\r\nvalidation of their security controls, and real metrics to more\r\neffectively secure their organizations.\r\n\r\nCore Security's software solutions build on over a decade of trusted\r\nresearch and leading-edge threat expertise from the company's Security\r\nConsulting Services, CoreLabs and Engineering groups. Core Security\r\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2011 Core Security\r\nTechnologies and (c) 2011 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (MingW32)\r\n\r\niEYEARECAAYFAk35HjUACgkQyNibggitWa167gCfXeOi6AS7D37B3KCKs6Jcj1s+\r\nzvIAn0siKkTeoI98lg6ng54dX78N4Vwd\r\n=rWih\r\n-----END PGP SIGNATURE-----", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/17404/"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:42", "bulletinFamily": "software", "cvelist": ["CVE-2010-3271"], "description": "Crossite request forgery via administration console.", "edition": 1, "modified": "2011-06-19T00:00:00", "published": "2011-06-19T00:00:00", "id": "SECURITYVULNS:VULN:11745", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11745", "title": "IBM WebSphere crossite request forgery", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:41", "bulletinFamily": "software", "cvelist": ["CVE-2010-3271"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n Core Security Technologies - CoreLabs Advisory\r\n http://corelabs.coresecurity.com/\r\n\r\n IBM WebSphere Application Server Cross-Site Request Forgery\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: IBM WebSphere Application Server Cross-Site Request Forgery\r\nAdvisory ID: CORE-2010-1021\r\nAdvisory URL: http://www.coresecurity.com/content/IBM-WebSphere-CSRF\r\nDate published: 2011-06-15\r\nDate of last update: 2011-06-15\r\nVendors contacted: IBM\r\nRelease mode: User release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Cross-Site Request Forgery (CSRF) [CWE-352]\r\nImpact: Code execution\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2010-3271\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nWebSphere is IBM's integration software platform. It includes the entire\r\nmiddleware infrastructure --such as servers, services, and tools--\r\nneeded to write, run, and monitor 24x7 industrial-strength, on demand\r\nWeb applications and cross-platform, cross-product solutions. WebSphere\r\nApplication Server is the base for the infrastructure; everything else\r\nruns on top of it [1].\r\n\r\nThe administrative console of IBM WebSphere Application Server is\r\nvulnerable to Cross-Site Request Forgery (CSRF) attacks, which can be\r\nexploited by remote attackers to force a logged-in administrator to\r\nperform unwanted actions on the IBM WebSphere administrative console, by\r\nenticing him to visit a malicious web page.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . IBM WebSphere Application Server 7.0.0.11\r\n . IBM WebSphere Application Server 7.0.0.13\r\n . Older versions are probably affected too, but they were not checked.\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\nContact the vendor for a fix.\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nContact the vendor for a fix. The following are workarounds for this issue.\r\n\r\n6.1. *Server side*\r\n\r\nAccording to OWASP [2], CSRF vulnerabilities can be avoided by checking\r\nthe referrer of the HTTP request and verifying that the request comes\r\nfrom the original site. A potential workaround is thus to set a rule on\r\na Web Application Firewall that checks the referrer of the requests, and\r\nverifies that all the requests to the WebSphere administrative console\r\nare originated from the same site.\r\n\r\n6.2. *Client side*\r\n\r\nAn administrator of WebSphere administrative console could mitigate the\r\nbug by using Firefox and the NoScript add-on; more precisely by making\r\nuse of the ABE [3] (Application Boundaries Enforcer) feature of\r\nNoScript. With ABE it is possible to define rules such as the following:\r\n\r\n/-----\r\nSite *.example.com\r\nAccept from SELF\r\nDeny\r\n- -----/\r\n\r\nThis rule applies to *.example.com; it will allow all the requests made\r\nfrom the same site, and block all the requests directed to *.example.com\r\nbut generated from any other site, avoiding that Firefox sends the\r\nrequest to the server. The syntax of the ABE rules is defined here:\r\nhttp://noscript.net/abe/abe_rules.pdf\r\n\r\n\r\n7. *Credits*\r\n\r\nThis vulnerability was discovered and researched by Francisco Falcon\r\nfrom Core Security Technologies during Bugweek 2010 [4]. Additional\r\nresearch was performed by Alejandro Rodriguez. Publication was\r\ncoordinated by Carlos Sarraute.\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\nThe administrative console (also known as Integrated Solutions Console)\r\nof IBM WebSphere Application Server is vulnerable to Cross-Site Request\r\nForgery (CSRF) [2] attacks, which can be exploited by remote attackers\r\nto force a logged-in administrator to perform unwanted actions on the\r\nIBM WebSphere administrative console, by enticing him to visit a\r\nmalicious web page.\r\n\r\nThe administrative console of IBM WebSphere Application Server includes\r\na standard protection mechanism against Cross-Site Request Forgery,\r\nwhich consists of a token that is included as a hidden field on every\r\n'FORM', named 'csrfid', that is sent to the web server in each 'POST'\r\nrequest performed by the web browser. When the web server receives a\r\n'POST' request, it checks that the 'csrfid' token included in the\r\nparameters of the 'POST' request matches the anti-CSRF token associated\r\nwith the current session. If they do not match, then IBM WebSphere\r\nresponds with an "'Unauthorized Request'" message, thus effectively\r\npreventing CSRF.\r\n\r\nHowever, in certain areas of the administrative console, WebSphere\r\nforgets to check the value of the 'csrfid' token when processing 'POST'\r\nrequests, even though the 'csrfid' hidden field is included in every\r\n'FORM', making the application vulnerable to Cross-Site Request Forgery.\r\n\r\nThe vulnerable areas of the WebSphere administrative console include the\r\n'Security > Global Security' panel [6], and the 'Save changes to the\r\nmaster configuration' feature. This makes possible for a remote attacker\r\nto disable the 'Administrative Security', 'Application Security' and\r\n'Java 2 Security' options, and then to save the changes to the\r\nconfiguration, by tricking an IBM WebSphere administrator which is\r\ncurrently logged in to the administrative console to visit a malicious\r\nweb page. Also note that IBM WebSphere 7.0 with Fix Pack 11 did not\r\ninclude a 'csrfid' token for the 'Save changes to the master\r\nconfiguration' feature; Fix Pack 13 introduced it, but anyways it is\r\nignored on the server side when processing a request to save the master\r\nconfiguration.\r\n\r\nThe following HTML code is a Proof-of-Concept of a specially crafted web\r\npage that will leverage the CSRF vulnerability in order to disable the\r\n'Administrative Security', 'Application Security' and 'Java 2 Security'\r\noptions, if a logged-in administrator visits it:\r\n\r\n/-----\r\n<html>\r\n<body>\r\n<iframe id="iframe1" style="visibility:hidden"></iframe>\r\n<iframe id="iframe2" style="visibility:hidden"></iframe>\r\n <script>\r\n //The first request disables "Administrative security" and\r\n"Application security" options\r\n document.getElementById("iframe1").src =\r\n"https://<ip>:9043/ibm/console/adminSecurityDetail.do?action=Edit&displayActiveUserRegistry=Repositorios+federados&selectUserRegistry=WIM&activeAuthMechanism=LTPA&apply=Aplicar";\r\n\r\n //The second request saves the changes in the WebSphere configuration\r\n document.getElementById("iframe2").src =\r\n"https://<ip>:9043/ibm/console/syncworkspace.do?saveaction=save&directsave=true";\r\n </script>\r\n</iframe>\r\n</body>\r\n</html>\r\n\r\n- -----/\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n 2010-11-24:\r\nCore Security Technologies contacts IBM, requesting the proper point of\r\ncontact to report a security vulnerability in IBM WebSphere Application\r\nServer.\r\n\r\n 2010-11-29:\r\nVendor responds providing the point of contact to report the\r\nvulnerability, and its PGP key to encrypt communications.\r\n\r\n 2010-12-14:\r\nCore sends an advisory draft, containing the technical details needed to\r\nreproduce the vulnerability. Publication of Core's advisory is\r\ntemporarily set to January 10, 2011.\r\n\r\n 2010-12-14:\r\nIBM acknowledges the receipt of the technical information.\r\n\r\n 2010-12-21:\r\nCore asks the vendor whether it was able to reproduce the vulnerability.\r\n\r\n 2011-01-05:\r\nVendor responds that it was able to reproduce the issue and confirms\r\nthere is a vulnerability. Vendor informs Core that it is still working\r\nthrough the total products affected, that it is multiple products, and\r\nthat this vulnerability is creating real issues on being able to resolve\r\nit. Vendor requests Core an extension on the release date while it\r\ncompletes the full evaluation of risk assessment and remedy production.\r\nVendor expects to have that information in the following 2 weeks.\r\n\r\n 2011-01-06:\r\nCore responds that it is willing to postpone the publication of its\r\nadvisory. However to take that decision more information about the\r\nvendor's analysis of the vulnerability and its plans for developing a\r\nfix is required. In particular, Core requests a list of all affected\r\nproducts and versions, and also some insight on the difficulties of\r\nfixing this issue. In the meantime, the publication of this advisory is\r\nrescheduled to February 15th, 2011. (No reply received.)\r\n\r\n 2011-01-31:\r\nSince more than 3 weeks have passed since the last communication, Core\r\nrequests an update on this issue. In particular Core requests to receive\r\ninformation respect to:\r\n\r\n . the vendor's analysis of the vulnerability,\r\n . the vendor's plans for developing a fix,\r\n . a list of affected products and versions.\r\n\r\n 2011-02-01:\r\nCore reminds the vendor that in case of not receiving an answer, it will\r\npublish its advisory as "user release" on the scheduled date (February\r\n15th, 2011).\r\n\r\n 2011-02-01:\r\nVendor replies that it has asked a status update from the WebSphere team\r\nto convey to Core, and will provide it briefly.\r\n\r\n 2011-02-08:\r\nCore requests an update on this issue.\r\n\r\n 2011-02-14:\r\nCore reminds the vendor that the advisory is scheduled to be published\r\non February 15th. Core communicates its willingness to publish the\r\nadvisory as "coordinated release" based on concrete feedback from the\r\nvendor.\r\n\r\n 2011-02-14:\r\nVendor communicates Core that it is working on a statement to provide\r\nfor Core, and that since the PSIRT is a new mechanism within IBM, it is\r\nstill defining the way to provide consistent statements. In the\r\nmeantime, the vendor informs that:\r\n\r\n . The vendor has a potential solution designed and partially\r\nimplemented to fully secure the console. It is in the process of\r\nreviewing the design and the impact to stack products.\r\n . There are an unknown number of stack products affected. WebSphere\r\nApplication Server (WAS) stack products that use the ISC (Integrated\r\nSolutions Console) based console are affected. The vendor is still\r\ngathering the list of products affected, and must determine the impact\r\nof implementing the fix.\r\n . There is a meeting planned to decide on the final solution to be\r\nimplemented and determine the key delivery dates. These decisions will\r\nbe taken in mid March or later.\r\n . The target dates for release reach into Q3 2011.\r\n\r\n 2011-02-17:\r\nCore replies that it has rescheduled publication of its advisory (for\r\nthe second time) to March 21, 2011, in order to give PSIRT more time to\r\ncome up with concrete responses to the requested information. Core\r\nprovides additional information about its own publication process [5].\r\nWithout additional information, it is difficult for Core to understand\r\nthe reason why users of vulnerable WebSphere software should remain\r\nwithout any solution until Q3 2011.\r\n\r\n 2011-03-17:\r\nAfter 1 month of silence, the vendor informs Core that IBM's point of\r\ncontact for this issue has changed, and that further communications will\r\nbe handled by the head of IBM's Secure By Design initiative which\r\nincludes the IBM PSIRT.\r\n\r\n 2011-03-17:\r\nVendor requests Core to postpone the publication of its advisory until\r\nearly October 2011.\r\n\r\n 2011-03-18:\r\nVendor communicates that since Core hasn't responded to the request\r\n(sent the previous day) of deferring the public disclosure of this\r\nsecurity vulnerability from 21 March to early October 2011, IBM\r\nconsiders that Core agrees.\r\n\r\n 2011-03-21:\r\nCore answers that October 2011 is well beyond what it considers a\r\nreasonable timeframe to patch the type of bug that it has reported (a\r\nCross-Site Request Forgery). Additionally the vendor didn't provide Core\r\na technical analysis of the bug, explaining the difficulty to patch it\r\n(and why it would take IBM around 10 months to release fixes). The\r\nvendor didn't provide either the requested list of affected products and\r\nversions. According to Core's publication policy, the decision of\r\npostponing the publication of an advisory cannot be taken without\r\ntechnical arguments that justify that decision. This is why Core cannot\r\nagree with IBM's request to postpone publication until October 2011,\r\nunless the requested technical information is provided by the vendor.\r\n(No reply received.)\r\n\r\n 2011-04-25:\r\nCore communicates the vendor that it has rescheduled the publication of\r\nits advisory to June 14th, 2011. That date corresponds to a 6 month\r\ntimeframe after technical details about this vulnerability were sent to\r\nIBM (on December 14th, 2010), and is considered final. (No reply received.)\r\n\r\n 2011-06-15:\r\nThe advisory CORE-2010-1021 is published.\r\n\r\n\r\n10. *References*\r\n\r\n[1] IBM WebSphere Application Server:\r\nhttp://www-01.ibm.com/software/webservers/appserv/was/\r\n\r\n[2] Cross-Site Request Forgery (CSRF)\r\nhttp://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29\r\n\r\n[3] Application Boundaries Enforcer (ABE)\r\nhttp://noscript.net/abe/\r\n\r\n[4] The author participated in Core Security's Bugweek 2010 as member of\r\nthe team "Ex Tester fuErTes and Exploit Testers".\r\n\r\n[5] Finding bugs and publishing advisories _ the Core Security way\r\nhttp://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Finding_bugs_and_publishing_advisories\r\n\r\n[6] IBM WebSphere Reference, Global Security settings:\r\nhttp://publib.boulder.ibm.com/infocenter/wasinfo/fep/topic/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/usec_secureadminappinfra.html\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://corelabs.coresecurity.com.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies enables organizations to get ahead of threats\r\nwith security test and measurement solutions that continuously identify\r\nand demonstrate real-world exposures to their most critical assets. Our\r\ncustomers can gain real visibility into their security standing, real\r\nvalidation of their security controls, and real metrics to more\r\neffectively secure their organizations.\r\n\r\nCore Security's software solutions build on over a decade of trusted\r\nresearch and leading-edge threat expertise from the company's Security\r\nConsulting Services, CoreLabs and Engineering groups. Core Security\r\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2011 Core Security\r\nTechnologies and (c) 2011 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (MingW32)\r\n\r\niEYEARECAAYFAk35HjUACgkQyNibggitWa167gCfXeOi6AS7D37B3KCKs6Jcj1s+\r\nzvIAn0siKkTeoI98lg6ng54dX78N4Vwd\r\n=rWih\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2011-06-19T00:00:00", "published": "2011-06-19T00:00:00", "id": "SECURITYVULNS:DOC:26574", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26574", "title": "CORE-2010-1021: IBM WebSphere Application Server Cross-Site Request Forgery", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:20:46", "description": "", "published": "2011-06-16T00:00:00", "type": "packetstorm", "title": "Core Security Technologies Advisory 2010.1021", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-3271"], "modified": "2011-06-16T00:00:00", "id": "PACKETSTORM:102340", "href": "https://packetstormsecurity.com/files/102340/Core-Security-Technologies-Advisory-2010.1021.html", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \nCore Security Technologies - CoreLabs Advisory \nhttp://corelabs.coresecurity.com/ \n \nIBM WebSphere Application Server Cross-Site Request Forgery \n \n \n1. *Advisory Information* \n \nTitle: IBM WebSphere Application Server Cross-Site Request Forgery \nAdvisory ID: CORE-2010-1021 \nAdvisory URL: http://www.coresecurity.com/content/IBM-WebSphere-CSRF \nDate published: 2011-06-15 \nDate of last update: 2011-06-15 \nVendors contacted: IBM \nRelease mode: User release \n \n \n2. *Vulnerability Information* \n \nClass: Cross-Site Request Forgery (CSRF) [CWE-352] \nImpact: Code execution \nRemotely Exploitable: Yes \nLocally Exploitable: No \nCVE Name: CVE-2010-3271 \n \n \n3. *Vulnerability Description* \n \nWebSphere is IBM's integration software platform. It includes the entire \nmiddleware infrastructure --such as servers, services, and tools-- \nneeded to write, run, and monitor 24x7 industrial-strength, on demand \nWeb applications and cross-platform, cross-product solutions. WebSphere \nApplication Server is the base for the infrastructure; everything else \nruns on top of it [1]. \n \nThe administrative console of IBM WebSphere Application Server is \nvulnerable to Cross-Site Request Forgery (CSRF) attacks, which can be \nexploited by remote attackers to force a logged-in administrator to \nperform unwanted actions on the IBM WebSphere administrative console, by \nenticing him to visit a malicious web page. \n \n \n4. *Vulnerable packages* \n \n. IBM WebSphere Application Server 7.0.0.11 \n. IBM WebSphere Application Server 7.0.0.13 \n. Older versions are probably affected too, but they were not checked. \n \n \n5. *Non-vulnerable packages* \n \nContact the vendor for a fix. \n \n \n6. *Vendor Information, Solutions and Workarounds* \n \nContact the vendor for a fix. The following are workarounds for this issue. \n \n6.1. *Server side* \n \nAccording to OWASP [2], CSRF vulnerabilities can be avoided by checking \nthe referrer of the HTTP request and verifying that the request comes \nfrom the original site. A potential workaround is thus to set a rule on \na Web Application Firewall that checks the referrer of the requests, and \nverifies that all the requests to the WebSphere administrative console \nare originated from the same site. \n \n6.2. *Client side* \n \nAn administrator of WebSphere administrative console could mitigate the \nbug by using Firefox and the NoScript add-on; more precisely by making \nuse of the ABE [3] (Application Boundaries Enforcer) feature of \nNoScript. With ABE it is possible to define rules such as the following: \n \n/----- \nSite *.example.com \nAccept from SELF \nDeny \n- -----/ \n \nThis rule applies to *.example.com; it will allow all the requests made \nfrom the same site, and block all the requests directed to *.example.com \nbut generated from any other site, avoiding that Firefox sends the \nrequest to the server. The syntax of the ABE rules is defined here: \nhttp://noscript.net/abe/abe_rules.pdf \n \n \n7. *Credits* \n \nThis vulnerability was discovered and researched by Francisco Falcon \nfrom Core Security Technologies during Bugweek 2010 [4]. Additional \nresearch was performed by Alejandro Rodriguez. Publication was \ncoordinated by Carlos Sarraute. \n \n \n8. *Technical Description / Proof of Concept Code* \n \nThe administrative console (also known as Integrated Solutions Console) \nof IBM WebSphere Application Server is vulnerable to Cross-Site Request \nForgery (CSRF) [2] attacks, which can be exploited by remote attackers \nto force a logged-in administrator to perform unwanted actions on the \nIBM WebSphere administrative console, by enticing him to visit a \nmalicious web page. \n \nThe administrative console of IBM WebSphere Application Server includes \na standard protection mechanism against Cross-Site Request Forgery, \nwhich consists of a token that is included as a hidden field on every \n'FORM', named 'csrfid', that is sent to the web server in each 'POST' \nrequest performed by the web browser. When the web server receives a \n'POST' request, it checks that the 'csrfid' token included in the \nparameters of the 'POST' request matches the anti-CSRF token associated \nwith the current session. If they do not match, then IBM WebSphere \nresponds with an \"'Unauthorized Request'\" message, thus effectively \npreventing CSRF. \n \nHowever, in certain areas of the administrative console, WebSphere \nforgets to check the value of the 'csrfid' token when processing 'POST' \nrequests, even though the 'csrfid' hidden field is included in every \n'FORM', making the application vulnerable to Cross-Site Request Forgery. \n \nThe vulnerable areas of the WebSphere administrative console include the \n'Security > Global Security' panel [6], and the 'Save changes to the \nmaster configuration' feature. This makes possible for a remote attacker \nto disable the 'Administrative Security', 'Application Security' and \n'Java 2 Security' options, and then to save the changes to the \nconfiguration, by tricking an IBM WebSphere administrator which is \ncurrently logged in to the administrative console to visit a malicious \nweb page. Also note that IBM WebSphere 7.0 with Fix Pack 11 did not \ninclude a 'csrfid' token for the 'Save changes to the master \nconfiguration' feature; Fix Pack 13 introduced it, but anyways it is \nignored on the server side when processing a request to save the master \nconfiguration. \n \nThe following HTML code is a Proof-of-Concept of a specially crafted web \npage that will leverage the CSRF vulnerability in order to disable the \n'Administrative Security', 'Application Security' and 'Java 2 Security' \noptions, if a logged-in administrator visits it: \n \n/----- \n<html> \n<body> \n<iframe id=\"iframe1\" style=\"visibility:hidden\"></iframe> \n<iframe id=\"iframe2\" style=\"visibility:hidden\"></iframe> \n<script> \n//The first request disables \"Administrative security\" and \n\"Application security\" options \ndocument.getElementById(\"iframe1\").src = \n\"https://<ip>:9043/ibm/console/adminSecurityDetail.do?action=Edit&displayActiveUserRegistry=Repositorios+federados&selectUserRegistry=WIM&activeAuthMechanism=LTPA&apply=Aplicar\"; \n \n//The second request saves the changes in the WebSphere configuration \ndocument.getElementById(\"iframe2\").src = \n\"https://<ip>:9043/ibm/console/syncworkspace.do?saveaction=save&directsave=true\"; \n</script> \n</iframe> \n</body> \n</html> \n \n- -----/ \n \n \n9. *Report Timeline* \n \n. 2010-11-24: \nCore Security Technologies contacts IBM, requesting the proper point of \ncontact to report a security vulnerability in IBM WebSphere Application \nServer. \n \n. 2010-11-29: \nVendor responds providing the point of contact to report the \nvulnerability, and its PGP key to encrypt communications. \n \n. 2010-12-14: \nCore sends an advisory draft, containing the technical details needed to \nreproduce the vulnerability. Publication of Core's advisory is \ntemporarily set to January 10, 2011. \n \n. 2010-12-14: \nIBM acknowledges the receipt of the technical information. \n \n. 2010-12-21: \nCore asks the vendor whether it was able to reproduce the vulnerability. \n \n. 2011-01-05: \nVendor responds that it was able to reproduce the issue and confirms \nthere is a vulnerability. Vendor informs Core that it is still working \nthrough the total products affected, that it is multiple products, and \nthat this vulnerability is creating real issues on being able to resolve \nit. Vendor requests Core an extension on the release date while it \ncompletes the full evaluation of risk assessment and remedy production. \nVendor expects to have that information in the following 2 weeks. \n \n. 2011-01-06: \nCore responds that it is willing to postpone the publication of its \nadvisory. However to take that decision more information about the \nvendor's analysis of the vulnerability and its plans for developing a \nfix is required. In particular, Core requests a list of all affected \nproducts and versions, and also some insight on the difficulties of \nfixing this issue. In the meantime, the publication of this advisory is \nrescheduled to February 15th, 2011. (No reply received.) \n \n. 2011-01-31: \nSince more than 3 weeks have passed since the last communication, Core \nrequests an update on this issue. In particular Core requests to receive \ninformation respect to: \n \n. the vendor's analysis of the vulnerability, \n. the vendor's plans for developing a fix, \n. a list of affected products and versions. \n \n. 2011-02-01: \nCore reminds the vendor that in case of not receiving an answer, it will \npublish its advisory as \"user release\" on the scheduled date (February \n15th, 2011). \n \n. 2011-02-01: \nVendor replies that it has asked a status update from the WebSphere team \nto convey to Core, and will provide it briefly. \n \n. 2011-02-08: \nCore requests an update on this issue. \n \n. 2011-02-14: \nCore reminds the vendor that the advisory is scheduled to be published \non February 15th. Core communicates its willingness to publish the \nadvisory as \"coordinated release\" based on concrete feedback from the \nvendor. \n \n. 2011-02-14: \nVendor communicates Core that it is working on a statement to provide \nfor Core, and that since the PSIRT is a new mechanism within IBM, it is \nstill defining the way to provide consistent statements. In the \nmeantime, the vendor informs that: \n \n. The vendor has a potential solution designed and partially \nimplemented to fully secure the console. It is in the process of \nreviewing the design and the impact to stack products. \n. There are an unknown number of stack products affected. WebSphere \nApplication Server (WAS) stack products that use the ISC (Integrated \nSolutions Console) based console are affected. The vendor is still \ngathering the list of products affected, and must determine the impact \nof implementing the fix. \n. There is a meeting planned to decide on the final solution to be \nimplemented and determine the key delivery dates. These decisions will \nbe taken in mid March or later. \n. The target dates for release reach into Q3 2011. \n \n. 2011-02-17: \nCore replies that it has rescheduled publication of its advisory (for \nthe second time) to March 21, 2011, in order to give PSIRT more time to \ncome up with concrete responses to the requested information. Core \nprovides additional information about its own publication process [5]. \nWithout additional information, it is difficult for Core to understand \nthe reason why users of vulnerable WebSphere software should remain \nwithout any solution until Q3 2011. \n \n. 2011-03-17: \nAfter 1 month of silence, the vendor informs Core that IBM's point of \ncontact for this issue has changed, and that further communications will \nbe handled by the head of IBM's Secure By Design initiative which \nincludes the IBM PSIRT. \n \n. 2011-03-17: \nVendor requests Core to postpone the publication of its advisory until \nearly October 2011. \n \n. 2011-03-18: \nVendor communicates that since Core hasn't responded to the request \n(sent the previous day) of deferring the public disclosure of this \nsecurity vulnerability from 21 March to early October 2011, IBM \nconsiders that Core agrees. \n \n. 2011-03-21: \nCore answers that October 2011 is well beyond what it considers a \nreasonable timeframe to patch the type of bug that it has reported (a \nCross-Site Request Forgery). Additionally the vendor didn't provide Core \na technical analysis of the bug, explaining the difficulty to patch it \n(and why it would take IBM around 10 months to release fixes). The \nvendor didn't provide either the requested list of affected products and \nversions. According to Core's publication policy, the decision of \npostponing the publication of an advisory cannot be taken without \ntechnical arguments that justify that decision. This is why Core cannot \nagree with IBM's request to postpone publication until October 2011, \nunless the requested technical information is provided by the vendor. \n(No reply received.) \n \n. 2011-04-25: \nCore communicates the vendor that it has rescheduled the publication of \nits advisory to June 14th, 2011. That date corresponds to a 6 month \ntimeframe after technical details about this vulnerability were sent to \nIBM (on December 14th, 2010), and is considered final. (No reply received.) \n \n. 2011-06-15: \nThe advisory CORE-2010-1021 is published. \n \n \n10. *References* \n \n[1] IBM WebSphere Application Server: \nhttp://www-01.ibm.com/software/webservers/appserv/was/ \n \n[2] Cross-Site Request Forgery (CSRF) \nhttp://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29 \n \n[3] Application Boundaries Enforcer (ABE) \nhttp://noscript.net/abe/ \n \n[4] The author participated in Core Security's Bugweek 2010 as member of \nthe team \"Ex Tester fuErTes and Exploit Testers\". \n \n[5] Finding bugs and publishing advisories _ the Core Security way \nhttp://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Finding_bugs_and_publishing_advisories \n \n[6] IBM WebSphere Reference, Global Security settings: \nhttp://publib.boulder.ibm.com/infocenter/wasinfo/fep/topic/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/usec_secureadminappinfra.html \n \n \n11. *About CoreLabs* \n \nCoreLabs, the research center of Core Security Technologies, is charged \nwith anticipating the future needs and requirements for information \nsecurity technologies. We conduct our research in several important \nareas of computer security including system vulnerabilities, cyber \nattack planning and simulation, source code auditing, and cryptography. \nOur results include problem formalization, identification of \nvulnerabilities, novel solutions and prototypes for new technologies. \nCoreLabs regularly publishes security advisories, technical papers, \nproject information and shared software tools for public use at: \nhttp://corelabs.coresecurity.com. \n \n \n12. *About Core Security Technologies* \n \nCore Security Technologies enables organizations to get ahead of threats \nwith security test and measurement solutions that continuously identify \nand demonstrate real-world exposures to their most critical assets. Our \ncustomers can gain real visibility into their security standing, real \nvalidation of their security controls, and real metrics to more \neffectively secure their organizations. \n \nCore Security's software solutions build on over a decade of trusted \nresearch and leading-edge threat expertise from the company's Security \nConsulting Services, CoreLabs and Engineering groups. Core Security \nTechnologies can be reached at +1 (617) 399-6980 or on the Web at: \nhttp://www.coresecurity.com. \n \n \n13. *Disclaimer* \n \nThe contents of this advisory are copyright (c) 2011 Core Security \nTechnologies and (c) 2011 CoreLabs, and are licensed under a Creative \nCommons Attribution Non-Commercial Share-Alike 3.0 (United States) \nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ \n \n \n14. *PGP/GPG Keys* \n \nThis advisory has been signed with the GPG key of Core Security \nTechnologies advisories team, which is available for download at \nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc. \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.4.9 (MingW32) \n \niEYEARECAAYFAk35HjUACgkQyNibggitWa167gCfXeOi6AS7D37B3KCKs6Jcj1s+ \nzvIAn0siKkTeoI98lg6ng54dX78N4Vwd \n=rWih \n-----END PGP SIGNATURE----- \n \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/102340/CORE-2010-1021.txt"}], "seebug": [{"lastseen": "2017-11-19T18:03:47", "description": "No description provided by source.", "published": "2011-06-16T00:00:00", "title": "IBM WebSphere Application Server 7.0.0.13 CSRF Vulnerability", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-3271"], "modified": "2011-06-16T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-20625", "id": "SSV:20625", "sourceData": "\n -----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n \r\n Core Security Technologies - CoreLabs Advisory\r\n http://corelabs.coresecurity.com/\r\n \r\n IBM WebSphere Application Server Cross-Site Request Forgery\r\n \r\n \r\n1. *Advisory Information*\r\n \r\nTitle: IBM WebSphere Application Server Cross-Site Request Forgery\r\nAdvisory ID: CORE-2010-1021\r\nAdvisory URL: http://www.coresecurity.com/content/IBM-WebSphere-CSRF\r\nDate published: 2011-06-15\r\nDate of last update: 2011-06-15\r\nVendors contacted: IBM\r\nRelease mode: User release\r\n \r\n \r\n2. *Vulnerability Information*\r\n \r\nClass: Cross-Site Request Forgery (CSRF) [CWE-352]\r\nImpact: Code execution\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2010-3271\r\n \r\n \r\n3. *Vulnerability Description*\r\n \r\nWebSphere is IBM's integration software platform. It includes the entire\r\nmiddleware infrastructure --such as servers, services, and tools--\r\nneeded to write, run, and monitor 24x7 industrial-strength, on demand\r\nWeb applications and cross-platform, cross-product solutions. WebSphere\r\nApplication Server is the base for the infrastructure; everything else\r\nruns on top of it [1].\r\n \r\nThe administrative console of IBM WebSphere Application Server is\r\nvulnerable to Cross-Site Request Forgery (CSRF) attacks, which can be\r\nexploited by remote attackers to force a logged-in administrator to\r\nperform unwanted actions on the IBM WebSphere administrative console, by\r\nenticing him to visit a malicious web page.\r\n \r\n \r\n4. *Vulnerable packages*\r\n \r\n . IBM WebSphere Application Server 7.0.0.11\r\n . IBM WebSphere Application Server 7.0.0.13\r\n . Older versions are probably affected too, but they were not checked.\r\n \r\n \r\n5. *Non-vulnerable packages*\r\n \r\nContact the vendor for a fix.\r\n \r\n \r\n6. *Vendor Information, Solutions and Workarounds*\r\n \r\nContact the vendor for a fix. The following are workarounds for this issue.\r\n \r\n6.1. *Server side*\r\n \r\nAccording to OWASP [2], CSRF vulnerabilities can be avoided by checking\r\nthe referrer of the HTTP request and verifying that the request comes\r\nfrom the original site. A potential workaround is thus to set a rule on\r\na Web Application Firewall that checks the referrer of the requests, and\r\nverifies that all the requests to the WebSphere administrative console\r\nare originated from the same site.\r\n \r\n6.2. *Client side*\r\n \r\nAn administrator of WebSphere administrative console could mitigate the\r\nbug by using Firefox and the NoScript add-on; more precisely by making\r\nuse of the ABE [3] (Application Boundaries Enforcer) feature of\r\nNoScript. With ABE it is possible to define rules such as the following:\r\n \r\n/-----\r\nSite *.example.com\r\nAccept from SELF\r\nDeny\r\n- -----/\r\n \r\nThis rule applies to *.example.com; it will allow all the requests made\r\nfrom the same site, and block all the requests directed to *.example.com\r\nbut generated from any other site, avoiding that Firefox sends the\r\nrequest to the server. The syntax of the ABE rules is defined here:\r\nhttp://noscript.net/abe/abe_rules.pdf\r\n \r\n \r\n7. *Credits*\r\n \r\nThis vulnerability was discovered and researched by Francisco Falcon\r\nfrom Core Security Technologies during Bugweek 2010 [4]. Additional\r\nresearch was performed by Alejandro Rodriguez. Publication was\r\ncoordinated by Carlos Sarraute.\r\n \r\n \r\n8. *Technical Description / Proof of Concept Code*\r\n \r\nThe administrative console (also known as Integrated Solutions Console)\r\nof IBM WebSphere Application Server is vulnerable to Cross-Site Request\r\nForgery (CSRF) [2] attacks, which can be exploited by remote attackers\r\nto force a logged-in administrator to perform unwanted actions on the\r\nIBM WebSphere administrative console, by enticing him to visit a\r\nmalicious web page.\r\n \r\nThe administrative console of IBM WebSphere Application Server includes\r\na standard protection mechanism against Cross-Site Request Forgery,\r\nwhich consists of a token that is included as a hidden field on every\r\n'FORM', named 'csrfid', that is sent to the web server in each 'POST'\r\nrequest performed by the web browser. When the web server receives a\r\n'POST' request, it checks that the 'csrfid' token included in the\r\nparameters of the 'POST' request matches the anti-CSRF token associated\r\nwith the current session. If they do not match, then IBM WebSphere\r\nresponds with an "'Unauthorized Request'" message, thus effectively\r\npreventing CSRF.\r\n \r\nHowever, in certain areas of the administrative console, WebSphere\r\nforgets to check the value of the 'csrfid' token when processing 'POST'\r\nrequests, even though the 'csrfid' hidden field is included in every\r\n'FORM', making the application vulnerable to Cross-Site Request Forgery.\r\n \r\nThe vulnerable areas of the WebSphere administrative console include the\r\n'Security > Global Security' panel [6], and the 'Save changes to the\r\nmaster configuration' feature. This makes possible for a remote attacker\r\nto disable the 'Administrative Security', 'Application Security' and\r\n'Java 2 Security' options, and then to save the changes to the\r\nconfiguration, by tricking an IBM WebSphere administrator which is\r\ncurrently logged in to the administrative console to visit a malicious\r\nweb page. Also note that IBM WebSphere 7.0 with Fix Pack 11 did not\r\ninclude a 'csrfid' token for the 'Save changes to the master\r\nconfiguration' feature; Fix Pack 13 introduced it, but anyways it is\r\nignored on the server side when processing a request to save the master\r\nconfiguration.\r\n \r\nThe following HTML code is a Proof-of-Concept of a specially crafted web\r\npage that will leverage the CSRF vulnerability in order to disable the\r\n'Administrative Security', 'Application Security' and 'Java 2 Security'\r\noptions, if a logged-in administrator visits it:\r\n \r\n/-----\r\n<html>\r\n<body>\r\n<iframe id="iframe1" style="visibility:hidden"></iframe>\r\n<iframe id="iframe2" style="visibility:hidden"></iframe>\r\n <script>\r\n //The first request disables "Administrative security" and\r\n"Application security" options\r\n document.getElementById("iframe1").src =\r\n"https://<ip>:9043/ibm/console/adminSecurityDetail.do?action=Edit&displayActiveUserRegistry=Repositorios+federados&selectUserRegistry=WIM&activeAuthMechanism=LTPA&apply=Aplicar";\r\n \r\n //The second request saves the changes in the WebSphere configuration\r\n document.getElementById("iframe2").src =\r\n"https://<ip>:9043/ibm/console/syncworkspace.do?saveaction=save&directsave=true";\r\n </script>\r\n</iframe>\r\n</body>\r\n</html>\r\n \r\n- -----/\r\n \r\n \r\n9. *Report Timeline*\r\n \r\n. 2010-11-24:\r\nCore Security Technologies contacts IBM, requesting the proper point of\r\ncontact to report a security vulnerability in IBM WebSphere Application\r\nServer.\r\n \r\n. 2010-11-29:\r\nVendor responds providing the point of contact to report the\r\nvulnerability, and its PGP key to encrypt communications.\r\n \r\n. 2010-12-14:\r\nCore sends an advisory draft, containing the technical details needed to\r\nreproduce the vulnerability. Publication of Core's advisory is\r\ntemporarily set to January 10, 2011.\r\n \r\n. 2010-12-14:\r\nIBM acknowledges the receipt of the technical information.\r\n \r\n. 2010-12-21:\r\nCore asks the vendor whether it was able to reproduce the vulnerability.\r\n \r\n. 2011-01-05:\r\nVendor responds that it was able to reproduce the issue and confirms\r\nthere is a vulnerability. Vendor informs Core that it is still working\r\nthrough the total products affected, that it is multiple products, and\r\nthat this vulnerability is creating real issues on being able to resolve\r\nit. Vendor requests Core an extension on the release date while it\r\ncompletes the full evaluation of risk assessment and remedy production.\r\nVendor expects to have that information in the following 2 weeks.\r\n \r\n. 2011-01-06:\r\nCore responds that it is willing to postpone the publication of its\r\nadvisory. However to take that decision more information about the\r\nvendor's analysis of the vulnerability and its plans for developing a\r\nfix is required. In particular, Core requests a list of all affected\r\nproducts and versions, and also some insight on the difficulties of\r\nfixing this issue. In the meantime, the publication of this advisory is\r\nrescheduled to February 15th, 2011. (No reply received.)\r\n \r\n. 2011-01-31:\r\nSince more than 3 weeks have passed since the last communication, Core\r\nrequests an update on this issue. In particular Core requests to receive\r\ninformation respect to:\r\n \r\n . the vendor's analysis of the vulnerability,\r\n . the vendor's plans for developing a fix,\r\n . a list of affected products and versions.\r\n \r\n. 2011-02-01:\r\nCore reminds the vendor that in case of not receiving an answer, it will\r\npublish its advisory as "user release" on the scheduled date (February\r\n15th, 2011).\r\n \r\n. 2011-02-01:\r\nVendor replies that it has asked a status update from the WebSphere team\r\nto convey to Core, and will provide it briefly.\r\n \r\n. 2011-02-08:\r\nCore requests an update on this issue.\r\n \r\n. 2011-02-14:\r\nCore reminds the vendor that the advisory is scheduled to be published\r\non February 15th. Core communicates its willingness to publish the\r\nadvisory as "coordinated release" based on concrete feedback from the\r\nvendor.\r\n \r\n. 2011-02-14:\r\nVendor communicates Core that it is working on a statement to provide\r\nfor Core, and that since the PSIRT is a new mechanism within IBM, it is\r\nstill defining the way to provide consistent statements. In the\r\nmeantime, the vendor informs that:\r\n \r\n . The vendor has a potential solution designed and partially\r\nimplemented to fully secure the console. It is in the process of\r\nreviewing the design and the impact to stack products.\r\n . There are an unknown number of stack products affected. WebSphere\r\nApplication Server (WAS) stack products that use the ISC (Integrated\r\nSolutions Console) based console are affected. The vendor is still\r\ngathering the list of products affected, and must determine the impact\r\nof implementing the fix.\r\n . There is a meeting planned to decide on the final solution to be\r\nimplemented and determine the key delivery dates. These decisions will\r\nbe taken in mid March or later.\r\n . The target dates for release reach into Q3 2011.\r\n \r\n. 2011-02-17:\r\nCore replies that it has rescheduled publication of its advisory (for\r\nthe second time) to March 21, 2011, in order to give PSIRT more time to\r\ncome up with concrete responses to the requested information. Core\r\nprovides additional information about its own publication process [5].\r\nWithout additional information, it is difficult for Core to understand\r\nthe reason why users of vulnerable WebSphere software should remain\r\nwithout any solution until Q3 2011.\r\n \r\n. 2011-03-17:\r\nAfter 1 month of silence, the vendor informs Core that IBM's point of\r\ncontact for this issue has changed, and that further communications will\r\nbe handled by the head of IBM's Secure By Design initiative which\r\nincludes the IBM PSIRT.\r\n \r\n. 2011-03-17:\r\nVendor requests Core to postpone the publication of its advisory until\r\nearly October 2011.\r\n \r\n. 2011-03-18:\r\nVendor communicates that since Core hasn't responded to the request\r\n(sent the previous day) of deferring the public disclosure of this\r\nsecurity vulnerability from 21 March to early October 2011, IBM\r\nconsiders that Core agrees.\r\n \r\n. 2011-03-21:\r\nCore answers that October 2011 is well beyond what it considers a\r\nreasonable timeframe to patch the type of bug that it has reported (a\r\nCross-Site Request Forgery). Additionally the vendor didn't provide Core\r\na technical analysis of the bug, explaining the difficulty to patch it\r\n(and why it would take IBM around 10 months to release fixes). The\r\nvendor didn't provide either the requested list of affected products and\r\nversions. According to Core's publication policy, the decision of\r\npostponing the publication of an advisory cannot be taken without\r\ntechnical arguments that justify that decision. This is why Core cannot\r\nagree with IBM's request to postpone publication until October 2011,\r\nunless the requested technical information is provided by the vendor.\r\n(No reply received.)\r\n \r\n. 2011-04-25:\r\nCore communicates the vendor that it has rescheduled the publication of\r\nits advisory to June 14th, 2011. That date corresponds to a 6 month\r\ntimeframe after technical details about this vulnerability were sent to\r\nIBM (on December 14th, 2010), and is considered final. (No reply received.)\r\n \r\n. 2011-06-15:\r\nThe advisory CORE-2010-1021 is published.\r\n \r\n \r\n10. *References*\r\n \r\n[1] IBM WebSphere Application Server:\r\nhttp://www-01.ibm.com/software/webservers/appserv/was/\r\n \r\n[2] Cross-Site Request Forgery (CSRF)\r\nhttp://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29\r\n \r\n[3] Application Boundaries Enforcer (ABE)\r\nhttp://noscript.net/abe/\r\n \r\n[4] The author participated in Core Security's Bugweek 2010 as member of\r\nthe team "Ex Tester fuErTes and Exploit Testers".\r\n \r\n[5] Finding bugs and publishing advisories _ the Core Security way\r\nhttp://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Finding_bugs_and_publishing_advisories\r\n \r\n[6] IBM WebSphere Reference, Global Security settings:\r\nhttp://publib.boulder.ibm.com/infocenter/wasinfo/fep/topic/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/usec_secureadminappinfra.html\r\n \r\n \r\n11. *About CoreLabs*\r\n \r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://corelabs.coresecurity.com.\r\n \r\n \r\n12. *About Core Security Technologies*\r\n \r\nCore Security Technologies enables organizations to get ahead of threats\r\nwith security test and measurement solutions that continuously identify\r\nand demonstrate real-world exposures to their most critical assets. Our\r\ncustomers can gain real visibility into their security standing, real\r\nvalidation of their security controls, and real metrics to more\r\neffectively secure their organizations.\r\n \r\nCore Security's software solutions build on over a decade of trusted\r\nresearch and leading-edge threat expertise from the company's Security\r\nConsulting Services, CoreLabs and Engineering groups. Core Security\r\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\r\nhttp://www.coresecurity.com.\r\n \r\n \r\n13. *Disclaimer*\r\n \r\nThe contents of this advisory are copyright (c) 2011 Core Security\r\nTechnologies and (c) 2011 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n \r\n \r\n14. *PGP/GPG Keys*\r\n \r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (MingW32)\r\n \r\niEYEARECAAYFAk35HjUACgkQyNibggitWa167gCfXeOi6AS7D37B3KCKs6Jcj1s+\r\nzvIAn0siKkTeoI98lg6ng54dX78N4Vwd\r\n=rWih\r\n-----END PGP SIGNATURE-----\n ", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-20625"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:20", "description": "\nIBM Websphere Application Server 7.0.0.13 - Cross-Site Request Forgery", "edition": 1, "published": "2011-06-15T00:00:00", "title": "IBM Websphere Application Server 7.0.0.13 - Cross-Site Request Forgery", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-3271"], "modified": "2011-06-15T00:00:00", "id": "EXPLOITPACK:C20E52E11FD2CE46B6DA6B37D624455E", "href": "", "sourceData": "-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n Core Security Technologies - CoreLabs Advisory\n http://corelabs.coresecurity.com/\n\n IBM WebSphere Application Server Cross-Site Request Forgery\n\n\n1. *Advisory Information*\n\nTitle: IBM WebSphere Application Server Cross-Site Request Forgery\nAdvisory ID: CORE-2010-1021\nAdvisory URL: http://www.coresecurity.com/content/IBM-WebSphere-CSRF\nDate published: 2011-06-15\nDate of last update: 2011-06-15\nVendors contacted: IBM\nRelease mode: User release\n\n\n2. *Vulnerability Information*\n\nClass: Cross-Site Request Forgery (CSRF) [CWE-352]\nImpact: Code execution\nRemotely Exploitable: Yes\nLocally Exploitable: No\nCVE Name: CVE-2010-3271\n\n\n3. *Vulnerability Description*\n\nWebSphere is IBM's integration software platform. It includes the entire\nmiddleware infrastructure --such as servers, services, and tools--\nneeded to write, run, and monitor 24x7 industrial-strength, on demand\nWeb applications and cross-platform, cross-product solutions. WebSphere\nApplication Server is the base for the infrastructure; everything else\nruns on top of it [1].\n\nThe administrative console of IBM WebSphere Application Server is\nvulnerable to Cross-Site Request Forgery (CSRF) attacks, which can be\nexploited by remote attackers to force a logged-in administrator to\nperform unwanted actions on the IBM WebSphere administrative console, by\nenticing him to visit a malicious web page.\n\n\n4. *Vulnerable packages*\n\n . IBM WebSphere Application Server 7.0.0.11\n . IBM WebSphere Application Server 7.0.0.13\n . Older versions are probably affected too, but they were not checked.\n\n\n5. *Non-vulnerable packages*\n\nContact the vendor for a fix.\n\n\n6. *Vendor Information, Solutions and Workarounds*\n\nContact the vendor for a fix. The following are workarounds for this issue.\n\n6.1. *Server side*\n\nAccording to OWASP [2], CSRF vulnerabilities can be avoided by checking\nthe referrer of the HTTP request and verifying that the request comes\nfrom the original site. A potential workaround is thus to set a rule on\na Web Application Firewall that checks the referrer of the requests, and\nverifies that all the requests to the WebSphere administrative console\nare originated from the same site.\n\n6.2. *Client side*\n\nAn administrator of WebSphere administrative console could mitigate the\nbug by using Firefox and the NoScript add-on; more precisely by making\nuse of the ABE [3] (Application Boundaries Enforcer) feature of\nNoScript. With ABE it is possible to define rules such as the following:\n\n/-----\nSite *.example.com\nAccept from SELF\nDeny\n- -----/\n\nThis rule applies to *.example.com; it will allow all the requests made\nfrom the same site, and block all the requests directed to *.example.com\nbut generated from any other site, avoiding that Firefox sends the\nrequest to the server. The syntax of the ABE rules is defined here:\nhttp://noscript.net/abe/abe_rules.pdf\n\n\n7. *Credits*\n\nThis vulnerability was discovered and researched by Francisco Falcon\nfrom Core Security Technologies during Bugweek 2010 [4]. Additional\nresearch was performed by Alejandro Rodriguez. Publication was\ncoordinated by Carlos Sarraute.\n\n\n8. *Technical Description / Proof of Concept Code*\n\nThe administrative console (also known as Integrated Solutions Console)\nof IBM WebSphere Application Server is vulnerable to Cross-Site Request\nForgery (CSRF) [2] attacks, which can be exploited by remote attackers\nto force a logged-in administrator to perform unwanted actions on the\nIBM WebSphere administrative console, by enticing him to visit a\nmalicious web page.\n\nThe administrative console of IBM WebSphere Application Server includes\na standard protection mechanism against Cross-Site Request Forgery,\nwhich consists of a token that is included as a hidden field on every\n'FORM', named 'csrfid', that is sent to the web server in each 'POST'\nrequest performed by the web browser. When the web server receives a\n'POST' request, it checks that the 'csrfid' token included in the\nparameters of the 'POST' request matches the anti-CSRF token associated\nwith the current session. If they do not match, then IBM WebSphere\nresponds with an \"'Unauthorized Request'\" message, thus effectively\npreventing CSRF.\n\nHowever, in certain areas of the administrative console, WebSphere\nforgets to check the value of the 'csrfid' token when processing 'POST'\nrequests, even though the 'csrfid' hidden field is included in every\n'FORM', making the application vulnerable to Cross-Site Request Forgery.\n\nThe vulnerable areas of the WebSphere administrative console include the\n'Security > Global Security' panel [6], and the 'Save changes to the\nmaster configuration' feature. This makes possible for a remote attacker\nto disable the 'Administrative Security', 'Application Security' and\n'Java 2 Security' options, and then to save the changes to the\nconfiguration, by tricking an IBM WebSphere administrator which is\ncurrently logged in to the administrative console to visit a malicious\nweb page. Also note that IBM WebSphere 7.0 with Fix Pack 11 did not\ninclude a 'csrfid' token for the 'Save changes to the master\nconfiguration' feature; Fix Pack 13 introduced it, but anyways it is\nignored on the server side when processing a request to save the master\nconfiguration.\n\nThe following HTML code is a Proof-of-Concept of a specially crafted web\npage that will leverage the CSRF vulnerability in order to disable the\n'Administrative Security', 'Application Security' and 'Java 2 Security'\noptions, if a logged-in administrator visits it:\n\n/-----\n<html>\n<body>\n<iframe id=\"iframe1\" style=\"visibility:hidden\"></iframe>\n<iframe id=\"iframe2\" style=\"visibility:hidden\"></iframe>\n <script>\n //The first request disables \"Administrative security\" and\n\"Application security\" options\n document.getElementById(\"iframe1\").src =\n\"https://<ip>:9043/ibm/console/adminSecurityDetail.do?action=Edit&displayActiveUserRegistry=Repositorios+federados&selectUserRegistry=WIM&activeAuthMechanism=LTPA&apply=Aplicar\";\n\n //The second request saves the changes in the WebSphere configuration\n document.getElementById(\"iframe2\").src =\n\"https://<ip>:9043/ibm/console/syncworkspace.do?saveaction=save&directsave=true\";\n </script>\n</iframe>\n</body>\n</html>\n\n- -----/\n\n\n9. *Report Timeline*\n\n. 2010-11-24:\nCore Security Technologies contacts IBM, requesting the proper point of\ncontact to report a security vulnerability in IBM WebSphere Application\nServer.\n\n. 2010-11-29:\nVendor responds providing the point of contact to report the\nvulnerability, and its PGP key to encrypt communications.\n\n. 2010-12-14:\nCore sends an advisory draft, containing the technical details needed to\nreproduce the vulnerability. Publication of Core's advisory is\ntemporarily set to January 10, 2011.\n\n. 2010-12-14:\nIBM acknowledges the receipt of the technical information.\n\n. 2010-12-21:\nCore asks the vendor whether it was able to reproduce the vulnerability.\n\n. 2011-01-05:\nVendor responds that it was able to reproduce the issue and confirms\nthere is a vulnerability. Vendor informs Core that it is still working\nthrough the total products affected, that it is multiple products, and\nthat this vulnerability is creating real issues on being able to resolve\nit. Vendor requests Core an extension on the release date while it\ncompletes the full evaluation of risk assessment and remedy production.\nVendor expects to have that information in the following 2 weeks.\n\n. 2011-01-06:\nCore responds that it is willing to postpone the publication of its\nadvisory. However to take that decision more information about the\nvendor's analysis of the vulnerability and its plans for developing a\nfix is required. In particular, Core requests a list of all affected\nproducts and versions, and also some insight on the difficulties of\nfixing this issue. In the meantime, the publication of this advisory is\nrescheduled to February 15th, 2011. (No reply received.)\n\n. 2011-01-31:\nSince more than 3 weeks have passed since the last communication, Core\nrequests an update on this issue. In particular Core requests to receive\ninformation respect to:\n\n . the vendor's analysis of the vulnerability,\n . the vendor's plans for developing a fix,\n . a list of affected products and versions.\n\n. 2011-02-01:\nCore reminds the vendor that in case of not receiving an answer, it will\npublish its advisory as \"user release\" on the scheduled date (February\n15th, 2011).\n\n. 2011-02-01:\nVendor replies that it has asked a status update from the WebSphere team\nto convey to Core, and will provide it briefly.\n\n. 2011-02-08:\nCore requests an update on this issue.\n\n. 2011-02-14:\nCore reminds the vendor that the advisory is scheduled to be published\non February 15th. Core communicates its willingness to publish the\nadvisory as \"coordinated release\" based on concrete feedback from the\nvendor.\n\n. 2011-02-14:\nVendor communicates Core that it is working on a statement to provide\nfor Core, and that since the PSIRT is a new mechanism within IBM, it is\nstill defining the way to provide consistent statements. In the\nmeantime, the vendor informs that:\n\n . The vendor has a potential solution designed and partially\nimplemented to fully secure the console. It is in the process of\nreviewing the design and the impact to stack products.\n . There are an unknown number of stack products affected. WebSphere\nApplication Server (WAS) stack products that use the ISC (Integrated\nSolutions Console) based console are affected. The vendor is still\ngathering the list of products affected, and must determine the impact\nof implementing the fix.\n . There is a meeting planned to decide on the final solution to be\nimplemented and determine the key delivery dates. These decisions will\nbe taken in mid March or later.\n . The target dates for release reach into Q3 2011.\n\n. 2011-02-17:\nCore replies that it has rescheduled publication of its advisory (for\nthe second time) to March 21, 2011, in order to give PSIRT more time to\ncome up with concrete responses to the requested information. Core\nprovides additional information about its own publication process [5].\nWithout additional information, it is difficult for Core to understand\nthe reason why users of vulnerable WebSphere software should remain\nwithout any solution until Q3 2011.\n\n. 2011-03-17:\nAfter 1 month of silence, the vendor informs Core that IBM's point of\ncontact for this issue has changed, and that further communications will\nbe handled by the head of IBM's Secure By Design initiative which\nincludes the IBM PSIRT.\n\n. 2011-03-17:\nVendor requests Core to postpone the publication of its advisory until\nearly October 2011.\n\n. 2011-03-18:\nVendor communicates that since Core hasn't responded to the request\n(sent the previous day) of deferring the public disclosure of this\nsecurity vulnerability from 21 March to early October 2011, IBM\nconsiders that Core agrees.\n\n. 2011-03-21:\nCore answers that October 2011 is well beyond what it considers a\nreasonable timeframe to patch the type of bug that it has reported (a\nCross-Site Request Forgery). Additionally the vendor didn't provide Core\na technical analysis of the bug, explaining the difficulty to patch it\n(and why it would take IBM around 10 months to release fixes). The\nvendor didn't provide either the requested list of affected products and\nversions. According to Core's publication policy, the decision of\npostponing the publication of an advisory cannot be taken without\ntechnical arguments that justify that decision. This is why Core cannot\nagree with IBM's request to postpone publication until October 2011,\nunless the requested technical information is provided by the vendor.\n(No reply received.)\n\n. 2011-04-25:\nCore communicates the vendor that it has rescheduled the publication of\nits advisory to June 14th, 2011. That date corresponds to a 6 month\ntimeframe after technical details about this vulnerability were sent to\nIBM (on December 14th, 2010), and is considered final. (No reply received.)\n\n. 2011-06-15:\nThe advisory CORE-2010-1021 is published.\n\n\n10. *References*\n\n[1] IBM WebSphere Application Server:\nhttp://www-01.ibm.com/software/webservers/appserv/was/\n\n[2] Cross-Site Request Forgery (CSRF)\nhttp://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29\n\n[3] Application Boundaries Enforcer (ABE)\nhttp://noscript.net/abe/\n\n[4] The author participated in Core Security's Bugweek 2010 as member of\nthe team \"Ex Tester fuErTes and Exploit Testers\".\n\n[5] Finding bugs and publishing advisories _ the Core Security way\nhttp://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Finding_bugs_and_publishing_advisories\n\n[6] IBM WebSphere Reference, Global Security settings:\nhttp://publib.boulder.ibm.com/infocenter/wasinfo/fep/topic/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/usec_secureadminappinfra.html\n\n\n11. *About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography.\nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies.\nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\nhttp://corelabs.coresecurity.com.\n\n\n12. *About Core Security Technologies*\n\nCore Security Technologies enables organizations to get ahead of threats\nwith security test and measurement solutions that continuously identify\nand demonstrate real-world exposures to their most critical assets. Our\ncustomers can gain real visibility into their security standing, real\nvalidation of their security controls, and real metrics to more\neffectively secure their organizations.\n\nCore Security's software solutions build on over a decade of trusted\nresearch and leading-edge threat expertise from the company's Security\nConsulting Services, CoreLabs and Engineering groups. Core Security\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\nhttp://www.coresecurity.com.\n\n\n13. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2011 Core Security\nTechnologies and (c) 2011 CoreLabs, and are licensed under a Creative\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n\n14. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.9 (MingW32)\n\niEYEARECAAYFAk35HjUACgkQyNibggitWa167gCfXeOi6AS7D37B3KCKs6Jcj1s+\nzvIAn0siKkTeoI98lg6ng54dX78N4Vwd\n=rWih\n-----END PGP SIGNATURE-----", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}
