Security Risk with Fix Available: WCM login page vulnerable to cross site scripting attacks, also affects WebSphere Portal and Quickr services for WebSphere Portal

Flash (Alert)


Abstract

A script can be injected into a URL pointing at a vulnerable login page. This URL could be sent to users (such as in a phishing mail). Users following this link would be executing the injected script.

Content

A vulnerability has been reported to IBM by Hacktics, Ltd., describing that the login page of the IBM Lotus Workplace Web Content Manager (WCM) is susceptible to Reflected Cross Site Scripting attacks.


Overall CVSS Score 6.8

Affected systems: All WCM systems and all WebSphere Portal installations are affected even if the WCM component is not active. IBM Lotus Quickr Services for WebSphere Portal is also affected.

IBM recommendation:

  • If your environment is protected behind an HTTP server infrastructure, IBM recommends blocking access to the URL, <wps_contextroot>/wcm/webinterface (for example, where <wps_contextroot> = wps).
  • If you are unable to block access, then remove the login page as documented in Steps to disable access to the login.jsp (#1421874).
  • If you do require web access to this page, install the appropriate fix as found in the table below.
WebSphere Portal, Lotus WCM and Workplace WCM
Version: Fix: Comment
6.1.0.3, 6.1.5.0 Install Cumulative Fix (CF) 27 or later Download the current Cumulative Fix from the Recommended Updates page.
6.1.0.1, 6.1.0.2, Install Cumulative Fix (CF) 24 or later Download the current Cumulative Fix from the Recommended Updates page.
6.1.0.0 Install the fix for PM03233 Available from Fix Central (link)
6.0.1.7 Install Cumulative Fix (CF) 37 or later Download the current Cumulative Fix from the Recommended Updates page.
6.0.1.4, 6.0.1.5, 6.0.1.6 Install Cumulative Fix (CF) 34 or later Download the current Cumulative Fix from the Recommended Updates page.
6.0.1.3 Install the fix for PM03233 Available from Fix Central (link). This download includes all of the prerequisite fixes also in the same package.
6.0.1.0, 6.0.1.1, 6.0.1.2 Upgrade to V6.0.1.3 or a higher fix pack level and install the fix for PM03233 If you are unable to update the server to V6.0.1.3 or higher, disable access to the login page.
6.0.0.4 Install the fix for PM03233 Available from Fix Central (link). This download includes all of the prerequisite fixes also in the same package.
6.0.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3 Upgrade to V6.0.0.4 or a higher fix pack level and install the fix for PM03233 If you are unable to update the server to V6.0.0.4 or higher, disable access to the login page.
5.1.0.5 Install the fix for PM03233 Available from Fix Central (link). This download includes all of the prerequisite fixes also in the same package.
5.1.0.0, 5.1.0.1, 5.1.0.2, 5.1.0.3, 5.1.0.4 Upgrade to V5.1.0.5 and install the fix for PM03233 If you are unable to update the server to V5.1.0.5, disable access to the login page.
Lotus Quickr services for WebSphere Portal
8.1, 8.1.1, 8.1.1.1 Install the fix for PM03233 Available from Fix Central (link)
8.0.0.2 Install the fix for PM03233 Available from Fix Central (link)
8.0 Upgrade to V8.0.0.2 or higher and install the fix for PM03233 If you are unable to update the server to V8.0.0.2 or higher, disable access to the login page.

Change History:
24 February 2010 - initial release
26 February 2010 - updated with additional links to fixes for V6.0.1.3, 6.0.0.4 and 5.1.0.5
04 March 2010 - updated with link to V6.1.0.3 and 6.1.5.0 cumulative fix integrating the fix for PM032333


    Cross reference information
    Segment Product Component Platform Version Edition
    Enterprise Content Management Workplace Web Content Management Security & User Management AIX, HP-UX, i5/OS, Linux, Solaris, Windows, z/OS 6.0, 5.1.0.5, 5.1.0.4, 5.1.0.3, 5.1.0.1, 5.1.0 Java edition
    Organizational Productivity- Portals & Collaboration WebSphere Portal Security AIX, HP-UX, i5/OS, Linux, Solaris, Windows, z/OS 6.1, 6.0 Enable, Extend, Server, Express
    Organizational Productivity- Portals & Collaboration WebSphere Portal End of Support Products Security AIX, HP-UX, i5/OS, Linux, Solaris, Windows, z/OS 5.1.0.5, 5.1.0.4, 5.1.0.3, 5.1.0.2, 5.1.0.1, 5.1.0.0, 5.1 Enable, Experience, Extend
    Organizational Productivity- Portals & Collaboration Lotus Quickr for WebSphere Portal Security 8.1 All Editions

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere Portal
Security

Software version:

6.1

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows, i5/OS, z/OS

Software edition:

Java edition

Reference #:

1421469

Modified date:

2010-03-04

Translate my page

Machine Translation

Content navigation