Skip to main content

Software  >  WebSphere  >  

Security: Potential Cross Site Scripting vulnerability with IBM WebSphere Application Server V5.1

 Flash (Alert)
 
Abstract
Potential Cross Site Scripting (XSS) vulnerability with IBM® WebSphere® Application Server V5.1
Possible security exposure with WebContainer response to unsupported/unrecognized Expect Header exposes clients to potential Cross Site Scripting (XSS) Vulnerability (PK51068) with IBM® WebSphere® Application Server V5.1
 
Content
Versions affected:
All IBM® WebSphere® Application Server versions 5.1.1.4 through 5.1.1.16 for Distributed, and versions 5.1.1.4 through 5.1.1.16 for i5/OS.
This problem does not occur in versions 4.0, 5.0, 6.0, 6.1, or later. This problem does not exist on the z/OS platform.

Problem Description:
WebContainer response to unsupported/unrecognized Expect header exposes clients to potential Cross Site Scripting (XSS) vulnerability.

According to section 14.20 of RFC2616:
A server that does not understand or is unable to comply with any of the expectation values in the Expect field of a request MUST respond with appropriate error status. However, it does not state whether or not the response should include the specified value. This exposes the possibility that a request could be received that contains an Expect Header containing malicious scripting code (e.g., JavaScript).

IBM WebSphere Application Server V5.1 WebContainer echoes the unrecognized Expect Header.

Solutions:
Applying APAR PK51068, or a Fix Pack containing this APAR, resolves this issue.

For IBM WebSphere Application Server for Distributed:
    For V5.1.1.4 through 5.1.1.16:
    • Apply interim fix APAR PK51068
      or
    • Apply Fix Pack 17 (5.1.1.17) or later (targeted for availability 04 Jan 2008).

For IBM WebSphere Application Server for i5/OS:
    For V5.1.1.4 through 5.1.1.16:
    • Apply interim fix APAR PK51068
      or
    • Apply Fix Pack 17 (5.1.1.17) or later (targeted for availability 04 Jan 2008).

Additional documentation:
For additional details and information on WebSphere Application Server product updates:

Change History
26 Oct 2007Created
 
 
 

Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Rate this page
Please take a moment to complete this form to help us better serve you.
This material provides me with the information I need.




This material is clear and easy to understand.




Did the information help you to achieve your goal?
What updates, improvements, or related information would you like to see in this document?
Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.
Input the verification number to submit feedback:
Document information
 Product categories:
 Software
 Application Servers
 Distributed Application & Web Servers
 WebSphere End of Support Products
 WebSphere Application Server
 Operating system(s):
  AIX, HP-UX, IBM i, Linux, Linux Red Hat - pSeries, Linux pSeries, Linux zSeries, Solaris, Windows
 Software version:
  5.1.1.4, 5.1.1.5, 5.1.1.6, 5.1.1.7, 5.1.1.8, 5.1.1.9, 5.1.1.10, 5.1.1.11, 5.1.1.12, 5.1.1.13, 5.1.1.14, 5.1.1.15, 5.1.1.16
 Software edition:
  Base, Developer, Express, Network Deployment
 Reference #:
  1279099
 IBM Group:
 Software Group
 Modified date:
 2009-02-09

Translate My Page
 
 

Rate this page

Help us improve this page. Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.