IBM WebSphere Application Server URL Unspecified Script Execution

2005-12-16T06:02:36
ID OSVDB:25369
Type osvdb
Reporter OSVDB
Modified 2005-12-16T06:02:36

Description

Vulnerability Description

WebSphere Application Server contains a flaw that allows a remote script execution attack. This flaw exists because the software does not validate all script tags passed as part of an URL. This could allow a user to create a specially crafted URL that would execute scripting code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Upgrade to version 6.0.2 Fix Pack 5 or higher, version 5.1.1 Cumulative Fix 10 or higher, or 5.0.2 Cumulative Fix 16 or higher, respectively, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

WebSphere Application Server contains a flaw that allows a remote script execution attack. This flaw exists because the software does not validate all script tags passed as part of an URL. This could allow a user to create a specially crafted URL that would execute scripting code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

References:

Vendor Specific News/Changelog Entry: http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg27006879 Vendor Specific News/Changelog Entry: http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg27006881 Vendor Specific News/Changelog Entry: http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg27006876 Secunia Advisory ID:20032 Related OSVDB ID: 25372 Related OSVDB ID: 25370 Related OSVDB ID: 25371 Related OSVDB ID: 25373 Related OSVDB ID: 25374 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-05/0175.html Keyword: PK13968 Keyword: PK15571 FrSIRT Advisory: ADV-2006-2552 FrSIRT Advisory: ADV-2006-1736 CVE-2006-2435