Security vulnerabilities have been discovered in the IBM Rational Directory Server (RDS) Help system shipped with the RDS product. When the Help file is opened in Rational Directory Administrator, the 'href' parameter in advanced/deferredView.jsp causes the followng security vulnerabilities: Open Redirect and Cross Site Scripting.
Below are the security vulnerabilitys found in the RDS help (menu 'Help'->'Help' item in RDA window):
- Open Redirect:
If the product has a security vulnerability the browser will redirect to google home page
- Cross Site Scripting:
If the product has a security vulnerability, an alert/dialog box pops up with some garbage text
This vulnerability affects all versions of RDA (Tivoli) and RDA (Apache). The complete fix for this issue will be delivered through different release cycles:
- RDA Tivoli: RDS 22.214.171.124 iFix02 is scheduled to be released on 21st June 2012
- RDA Apache: A fix pack release RDS 126.96.36.199 is planned End of August 2012
In the mean time, this risk can be mitigated by following the below steps.
- Download the rds-help.zip file and extract the rds-help.war
- Stop the WebAccessServer (apache tomcat server)
<RDS\RDA install location>\WebAccessServer\apache-tomcat-x.0.xx\bin\catalina.bat stop
<RDS/RDA install location>/WebAccessServer/apache-tomcat-x.0.xx/bin\catalina.sh stop
- Go to the location where the war file is located in the RDS/RDA install location.
<RDS\RDA install location>\WebAccessServer\apache-tomcat-x.0.xx\webapps\
<RDS/RDA install location>/WebAccessServer/apache-tomcat-x.0.xx/webapps/
- Delete/backup the following:
- Replace the rds-help.war downloaded.
- Start the WebAccessServer
<RDS\RDA install location>\WebAccessServer\Start_RDAWebServer.bat
<RDS/RDA install location>/WebAccessServer/Start_RDAWebServer.sh
Note: This help file has contents for RDS versions 5.2(Tivoli) and later, and RDS 5.1.1 (Apache) and later
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.