Skip to main content

Software  >  WebSphere  >  

PK51068; 5.1.1.16: WebContainer response to unrecognized Expect Header
 Downloadable files
 
Abstract
Client requests can contain an "Expect" header that includes anything, including script code to be executed by the browser that may expose the client machine to a security exposure
 
Download Description
PK51068 resolves the following problem:

ERROR DESCRIPTION:
XSS = Cross Site Scripting

According to section 14.20 of RFC2616:

A server that does not understand or is unable to comply with any of the expectation values in the Expect field of a request MUST respond with appropriate error status.

However, it does not state whether or not the response should include the specified value. This exposes the possibility that a request could be received that contains an Expect header containing malicious scripting code (e.g., JavaScript).

Version 5.1 WebContainer echos the unrecognized Expect Header.

LOCAL FIX:
n/a

PROBLEM SUMMARY

USERS AFFECTED:
All IBM® WebSphere® Application Server version 5.1.1.4 and later customers.

PROBLEM DESCRIPTION:
Client requests can contain an "Expect" header that includes anything, including script code to be
executed by the browser that may expose the client machine to a security exposure.

RECOMMENDATION:
None

Client requests can contain an "Expect" header that includes anything, including script code to be executed by the browser that may expose the client machine to a security exposure.

Currently, the way that the Application Server responds to this Expect header is to return the
unrecognized/unknown header back to the client. This exposes the client browser to a potential security exposure.

Application Server returns a correct status code of 417 when the Expect header does not meet the requirement; however, it also returns the original header back to the browser. This header can contain any malicious script that can potentially expose the browser to post forms that can obtain the user data.

PROBLEM CONCLUSION:
The WebContainer has been updated to block the unsupported or unrecognized original Expect header from being returned to the client.

The fix for this APAR is currently targeted for inclusion in cumulative fix 5.1.1.17.


Please refer to the recommended updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

 
Prerequisites
Please download the UpdateInstaller below to install this fix.
 
URL LANGUAGE SIZE(Bytes)
UpdateInstallerUS English7250000
 
 
Installation Instructions
Please review the readme.txt for detailed installation instructions.
 
URL LANGUAGE SIZE(Bytes)
ReadmeUS English6300
 
Download package
What is DD?
Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
PK51068_Fix10-24-2007US English10845FTPDD
 
Technical support
Contact IBM Support using SR (http://www-306.ibm.com/software/support/probsub.html), visit the WebSphere Application Server Support Web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV(U.S. only).
 
Problems (APARS) fixed
PK51068
 
 

Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Rate this page
Please take a moment to complete this form to help us better serve you.
This material provides me with the information I need.




This material is clear and easy to understand.




Did the information help you to achieve your goal?
What updates, improvements, or related information would you like to see in this document?
Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.
Input the verification number to submit feedback:
Document information
 Product categories:
 Software
 Application Servers
 Distributed Application & Web Servers
 WebSphere End of Support Products
 WebSphere Application Server
 Operating system(s):
  AIX, HP-UX, IBM i, Linux, Linux Red Hat - pSeries, Linux pSeries, Linux zSeries, Solaris, Windows
 Software version:
  5.1.1.4, 5.1.1.5, 5.1.1.6, 5.1.1.7, 5.1.1.8, 5.1.1.9, 5.1.1.10, 5.1.1.11, 5.1.1.12, 5.1.1.13, 5.1.1.14, 5.1.1.15, 5.1.1.16
 Software edition:
  Base, Developer, Express, Network Deployment, Single Server
 Reference #:
  4017314
 IBM Group:
 Software Group
 Modified date:
 2007-10-25

Translate My Page
 
 

Rate this page

Help us improve this page. Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.