The IBM Tivoli Access Manager for e-business "illegal-url-substrings" feature can be bypassed, disabling the web vulnerability mitigation capability that it offers.
The "illegal-url-substrings" feature is intended to allow the specification of URL string patterns that will be blocked by WebSEAL, which may help mitigate web vulnerabilities such as Cross Site Scripting.
An example of such a pattern is the pattern "<script", which is configured by default. WebSEAL should, upon receiving a URL containing this pattern anywhere in the URL string, block the request.
It is possible to bypass this protection with crafted URLs, causing WebSEAL to fail to correctly parse the URL, and to fail to block the request.
The attack does not require local network access nor does it require authentication, but specialized knowledge and techniques are required. An exploit will not impact accessibility of system resources or the confidentiality of information, but the integrity of data transmitted to the user browser could be compromised. The consequence of this compromise is that a user could be exposed to web vulnerabilities, such as cross site scripting, that the illegal-url-substrings features is intended to help mitigate.
CVSS Base Score: 4.3
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Tivoli Access Manager WebSEAL 5.1 (out of service)
Tivoli Access Manager WebSEAL 6.0.0 versions before Fixpack 25
Tivoli Access Manager WebSEAL 6.1.0 versions before Fixpack 4
Customers using version 5.1 should upgrade to a supported version of the product.
Vendor Fixes: Patches and installation instructions are provided at the URLs listed below.
The use of a separate Intrusion Prevention System can help mitigate web vulnerabilities such as cross site scripting.
Complete CVSS Guide
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
This vulnerability was reported to IBM by Ben Campbell of Logica
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.