Cross-site scripting (XSS) vulnerabiltiy in WebSphere App Server 7.0.0.11 and 7.0.0.13

Off
Strongback Consulting

If you are running WAS 7, be sure and check your fix packs today. We recommend you patch them to the latest of 7.0.0.17 or 7.0.0.15 at the latest. There is a cross-site scripting vulnerability you need to be aware of, as reported by Core Security Technologies

Core Security Technologies Advisory – The administrative console of IBM WebSphere Application Server is vulnerable to Cross-Site Request Forgery (CSRF) attacks, which can be exploited by remote attackers to force a logged-in administrator to perform unwanted actions on the IBM WebSphere administrative console, by enticing him to visit a malicious web page. Versions 7.0.0.11 and 7.0.0.13 are confirmed vulnerable.

Core Security Technologies, Francisco Falcon

The IBM fix list shows that WAS 7.0.0.15 corrects this issue (APAR PK77505)
http://www-01.ibm.com/support/docview.wss?uid=swg27014463&wv=1

If you are totally, blissfully oblivious to XSS attacks, you should watch this video.

<p>
<iframe width=”560″ height=”349″ src=”http://www.youtube.com/embed/r79ozjCL7DA” frameborder=”0″ allowfullscreen></iframe></p>
<p>
Now that you’ve seen that, ask yourself, “could the software my organization is writing be hacked like that?” Rational AppScan is a great solution for black box testing your web sites.  We’ve used it before, and recommend it to customers.
</p>
<p><iframe width=”560″ height=”349″ src=”http://www.youtube.com/embed/nfKnsBQdNkM” frameborder=”0″ allowfullscreen></iframe></p>
<p>I think IBM was not eating their own dogfood (so to speak) before. Nice to see the Rational team smack the WebSphere team every now and again.</p>

Comments are closed.