Flash (Alert)
Abstract
A script can be injected into a URL pointing at a vulnerable login page. This URL could be sent to users (such as in a phishing mail). Users following this link would be executing the injected script.
Content
A vulnerability has been reported to IBM by Hacktics, Ltd., describing that the login page of the IBM Lotus Workplace Web Content Manager (WCM) is susceptible to Reflected Cross Site Scripting attacks.
Overall CVSS Score 6.8
Affected systems: All WCM systems and all WebSphere Portal installations are affected even if the WCM component is not active. IBM Lotus Quickr Services for WebSphere Portal is also affected.
IBM recommendation:
- If your environment is protected behind an HTTP server infrastructure, IBM recommends blocking access to the URL, <wps_contextroot>/wcm/webinterface (for example, where <wps_contextroot> = wps).
- If you are unable to block access, then remove the login page as documented in Steps to disable access to the login.jsp (#1421874).
- If you do require web access to this page, install the appropriate fix as found in the table below.
|
WebSphere Portal, Lotus WCM and Workplace WCM
|
||
| Version: | Fix: | Comment |
| 6.1.0.3, 6.1.5.0 | Install Cumulative Fix (CF) 27 or later | Download the current Cumulative Fix from the Recommended Updates page. |
| 6.1.0.1, 6.1.0.2, | Install Cumulative Fix (CF) 24 or later | Download the current Cumulative Fix from the Recommended Updates page. |
| 6.1.0.0 | Install the fix for PM03233 | Available from Fix Central (link) |
| 6.0.1.7 | Install Cumulative Fix (CF) 37 or later | Download the current Cumulative Fix from the Recommended Updates page. |
| 6.0.1.4, 6.0.1.5, 6.0.1.6 | Install Cumulative Fix (CF) 34 or later | Download the current Cumulative Fix from the Recommended Updates page. |
| 6.0.1.3 | Install the fix for PM03233 | Available from Fix Central (link). This download includes all of the prerequisite fixes also in the same package. |
| 6.0.1.0, 6.0.1.1, 6.0.1.2 | Upgrade to V6.0.1.3 or a higher fix pack level and install the fix for PM03233 | If you are unable to update the server to V6.0.1.3 or higher, disable access to the login page. |
| 6.0.0.4 | Install the fix for PM03233 | Available from Fix Central (link). This download includes all of the prerequisite fixes also in the same package. |
| 6.0.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3 | Upgrade to V6.0.0.4 or a higher fix pack level and install the fix for PM03233 | If you are unable to update the server to V6.0.0.4 or higher, disable access to the login page. |
| 5.1.0.5 | Install the fix for PM03233 | Available from Fix Central (link). This download includes all of the prerequisite fixes also in the same package. |
| 5.1.0.0, 5.1.0.1, 5.1.0.2, 5.1.0.3, 5.1.0.4 | Upgrade to V5.1.0.5 and install the fix for PM03233 | If you are unable to update the server to V5.1.0.5, disable access to the login page. |
| Lotus Quickr services for WebSphere Portal | ||
| 8.1, 8.1.1, 8.1.1.1 | Install the fix for PM03233 | Available from Fix Central (link) |
| 8.0.0.2 | Install the fix for PM03233 | Available from Fix Central (link) |
| 8.0 | Upgrade to V8.0.0.2 or higher and install the fix for PM03233 | If you are unable to update the server to V8.0.0.2 or higher, disable access to the login page. |
Change History:
24 February 2010 - initial release
26 February 2010 - updated with additional links to fixes for V6.0.1.3, 6.0.0.4 and 5.1.0.5
04 March 2010 - updated with link to V6.1.0.3 and 6.1.5.0 cumulative fix integrating the fix for PM032333
| Segment | Product | Component | Platform | Version | Edition |
|---|---|---|---|---|---|
| Enterprise Content Management | Workplace Web Content Management | Security & User Management | AIX, HP-UX, i5/OS, Linux, Solaris, Windows, z/OS | 6.0, 5.1.0.5, 5.1.0.4, 5.1.0.3, 5.1.0.1, 5.1.0 | Java edition |
| Organizational Productivity- Portals & Collaboration | WebSphere Portal | Security | AIX, HP-UX, i5/OS, Linux, Solaris, Windows, z/OS | 6.1, 6.0 | Enable, Extend, Server, Express |
| Organizational Productivity- Portals & Collaboration | WebSphere Portal End of Support Products | Security | AIX, HP-UX, i5/OS, Linux, Solaris, Windows, z/OS | 5.1.0.5, 5.1.0.4, 5.1.0.3, 5.1.0.2, 5.1.0.1, 5.1.0.0, 5.1 | Enable, Experience, Extend |
| Organizational Productivity- Portals & Collaboration | Lotus Quickr for WebSphere Portal | Security | 8.1 | All Editions |
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.