Potential Exposure when using logoutExitPage Feature in IBM WebSphere Application Server (PK71126)

Flash (Alert)


Abstract

Potential Exposure when using logoutExitPage Feature in IBM WebSphere Application Server

Content

Versions affected:
IBM® WebSphere® Application Server V5.0, V5.1 through 5.1.1.19, V6.0 through 6.0.2.29, V6.1 through 6.1.0.21.

This does not occur on V6.0.2.33 or later, V6.1.0.23 or later, or V7.

Problem Description:
Customers who leverage the logoutExitPage feature have a potential exposure that allows for a possible redirection to an undesired hostname or website.

Solution:
Applying APAR PK71126, or a Fix Pack containing this APAR, resolves this issue.

Two new properties have been introduced with this APAR:

  1. com.ibm.websphere.security.allowAnyLogoutExitPageHost=true/false (default false)
    • When false, the logoutExitPage may only redirect within the same host that is servicing the request. Setting this property to true allows redirection to any host. Setting to true is not recommended.
  2. com.ibm.websphere.security.logoutExitPageDomainList=host1|host2|host3 (no default)
    • Specify a list of host names that allow redirects from the logoutExitPage. It is the preferred method of enabling redirection to alternate hosts. For example, it could be: www.host1.com|www.host2.com
      • The separator is the vertical bar (|).

For IBM WebSphere Application Server for Distributed:
    For V6.1 through V6.1.0.21:
    • Upgrade to Fix Pack 19 (i.e., if you are not already at 6.1.0.19 or later), and then
    • Apply APAR Interim Fix APAR PK71126
      --OR--
    • Apply Fix Pack 23 or later (i.e., 6.1.0.23, when available.)
    For V6.0 through V6.0.2.31:
    • Upgrade to Refresh Pack 2 (e.g., if not already at 6.0.2.x or later), and then
    • Upgrade to Fix Pack 29 or later (i.e., if not already at 6.0.2.29 or later), and then
    • Apply APAR Interim Fix APAR PK71126
      --OR --
    • Apply Fix Pack 33 or later (i.e., 6.0.2.33, when available.)
    For V5.1: For V5.0:
    • Upgrade to Fix Pack 2 (e.g., if not already at 5.0.2.x or later), and then
    • Upgrade to Fix Pack 18 or later (i.e., 5.0.2.18, if not already at 5.0.2.18 or later), and then
    • Apply APAR Interim Fix APAR PK71126

For IBM WebSphere Application Server for i5/OS:
    For V6.1 through V6.1.0.21:
    • Upgrade to Fix Pack 21 (i.e., if you are not already at 6.1.0.21 or later), and then
    • Apply APAR Interim Fix APAR PK71126
      --OR--
    • Apply Fix Pack 23 or later (i.e., 6.1.0.23, when available.)
    For V6.0 through V6.0.2.31: For V5.1:
    • Apply the WebSphere Application Server V5.1 for iSeries PTF group (if not at 5.1.1.19 already).
    • Apply the PTF for your Application Server V5.1 product:
      • Base/Developers: 5733W51 SI33809
      • Network Deployment: 5733W51 SI33808
      • Express: 5722E51 SI33811
    For V5.0:
    • V5.0 is no longer in service (ended 30 September 2006). Additional assistance will only be provided with the purchase of a support extension.
For IBM WebSphere Application Server for z/OS:
    For V6.1 through V6.1.0.21:
    • Apply APAR PK71126 via PTFs for 6.1.0.22 or later, when available.
    For V6.0 through V6.0.2.31:
    • Apply APAR PK71126 via PTFs for 6.0.2.33 or later, when available.
    For V5.1:
    • Request a ++APAR fix for PK71126 as 5.1 is out of support.
      • V5.1 is no longer in service (ended 26 September 2008). Additional assistance will only be provided with the purchase of a support extension.
    For V5.0:
    • Request a ++APAR fix for PK71126 as 5.0 is out of support.
      • V5.0 is no longer in service (ended 30 September 2006). Additional assistance will only be provided with the purchase of a support extension.

Additional documentation:
For additional details and information on WebSphere Application Server product updates:

Cross reference information
Segment Product Component Platform Version Edition
Application Servers WebSphere Application Server for z/OS z/OS 6.1, 6.0

Rate this page:

(0 users)Average rating

Document information


More support for:

WebSphere Application Server
Security

Software version:

5.1, 6.0, 6.1

Operating system(s):

AIX, HP-UX, IBM i, Linux, Solaris, Windows

Software edition:

Base, Express, Network Deployment

Reference #:

1320242

Modified date:

2008-12-17

Translate my page

Machine Translation

Content navigation