ibm_css.txt

`-----------------------------------------------------------  
+ IBM WEBSPHERE 6 Sample scripts Cross site scripting +  
-----------------------------------------------------------  
  
Release Date:  
12/12/2005  
  
Severity:  
low  
  
Product:  
http://www-306.ibm.com/software/info/ecatalog/en_GB/products/U105789N42720B65.html?&S_TACT=none&S_CMP=none  
  
Description:  
WebSphere Application Server, V6.0 can increase your return on investment on existing IT assets while providing  
the foundation for the IBM Software Group Portfolio. WebSphere Application Server, V6.0 is Java� 2 Enterprise  
Edition (J2EE) 1.4-compatible and enables an on-demand infrastructure with the following key features:   
-Full J2EE support across all offerings   
-Mixed application server support (V5, V5.1, and V6) for more flexible migration to newest versions of   
-WebSphere Application Server   
-Support for unified administration of a mixed WebSphere Application Server environment (V5.0, V5.1, and V6.0)  
for a more flexible migration to WebSphere Application Server V6.0   
-WebSphere Rapid Deployment for reducing the complexity of developing and deploying J2EE applications   
-Additional Web services standards above J2EE 1.4 for the sound foundation for the Services Oriented Architecture  
(SOA)   
-Broad platform support, allowing increased integration of existing resources and deployment platform choices   
  
Details:  
Some Cross site scripting attacks have been identified in the Samples that Websphere server installs by default.This  
can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.  
  
(1) The first Css takes place in the /PlantSByWebSpere/ sample in the login script.  
http://[host]:9080/PlantsByWebSphere/login.jsp  
Input passed in the "E-mail address" field isn't properly sanitised before being returned to the user.  
Login.jsp can also be used to enumerate valid accounts because login.jsp returns different error messages   
depending on whether a username is valid or invalid.  
  
(2) The second Css exists in the /TechnologySample/BulletinBoard Script (it is installed be default).  
Input passed in the "message" field is not properly sanitized before being returned to the user. This can be  
exploited to execute arbitary HTML and script code in a user's browser session on context of an affected site.  
http://[host]:9080/TechnologySamples/BulletinBoard/index.html  
  
(3) The third Css vulnerability was identified in the /TechnologySamples/Subscription/ sample script.  
Input passed in the "Email address" field is not properly sanitized before being returned to the user. This can beexploited to   
execute arbitary HTML and script code in a user's browser session on context of an affected site.  
http://localhost:9080/TechnologySamples/Subscription/SubscriptionJSP.jsp  
* Enter input: <script-code>@wasted.gr  
  
(4) Another Css exists in the /TechnologySamples/MovieReview2_1/. Input passed in the "Movie Name" , "Move Reviewer"  
and "Movie Review" field is not properly sanitized before being returned to the user.This can beexploited to   
execute arbitary HTML and script code in a user's browser session on context of an affected site.  
http://localhost:9080/TechnologySamples/MovieReview2_1/  
*Use the Add button first and then use the find button for this attack to take place.  
  
  
Workaround:  
(1)Remove the specified scripts  
(2)Edit the source code to ensure that input is properly sanitised.  
  
credit:  
dr_insane  
`