IBM Tivoli SecureWay WebSEAL XSS Attempt Logging Failure

2003-10-31T01:06:04
ID OSVDB:18724
Type osvdb
Reporter OSVDB
Modified 2003-10-31T01:06:04

Description

Vulnerability Description

Tivoli SecureWay WebSEAL contains a flaw that may allow a malicious user to perform cross-site scripting attacks without detection. The issue is triggered when WebSEAL fails to log cross-site scripting attacks when there is a "?" in the URI. It is possible that the flaw may allow cross-site scripting attacks to be undetected resulting in a loss of integrity.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, IBM has released a patch to address this vulnerability.

Short Description

Tivoli SecureWay WebSEAL contains a flaw that may allow a malicious user to perform cross-site scripting attacks without detection. The issue is triggered when WebSEAL fails to log cross-site scripting attacks when there is a "?" in the URI. It is possible that the flaw may allow cross-site scripting attacks to be undetected resulting in a loss of integrity.

References:

Vendor URL: http://www-1.ibm.com/support/docview.wss?uid=swg1IY50407 Vendor Specific Solution URL: http://www-1.ibm.com/support/docview.wss?rs=0&uid=swg24005813 Vendor Specific Advisory URL Keyword: APAR Keyword: IY50409 Keyword: IY50407