IBM Support

PK71126; 6.1.0.21: Need to limit the redirection

Download


Abstract

The destination of form logout exit page is not restricted.

Download Description

PK71126 resolves the following problem:

ERROR DESCRIPTION:
The ibm_security_logout servlet allows the specification of a web page to be displayed after the logout processing completes. This web page is currently unrestricted so the user can be redirected anywhere. There needs to be a mechanism in place to limit the redirection to specific locations.

LOCAL FIX: None

PROBLEM SUMMARY: The destination of form logout exit page is not restricted.

USERS AFFECTED:
All users of IBM WebSphere Application Server running with security enabled.

PROBLEM DESCRIPTION:
The destination of form logout exit page is not restricted.

RECOMMENDATION:
None

The destination of form logout exit page is not restricted. This opens up a potential vulnerability.

PROBLEM CONCLUSION:
The code has been modified to restrict the logoutExitPage redirection to within the same host that is processing the current request. If redirection to other hosts is required, one of the following security custom properties must be specified:

com.ibm.websphere.security.allowAnyLogoutExitPageHost=true/false
When true, the redirection is unrestricted, and the following property is ignored. The default is false.

com.ibm.websphere.security.logoutExitPageDomainList=<host1|host2|host3>
This is a list of hosts that are valid targets for the redirection specified by logoutExitPage. The separator is the vertical bar. There is no default.

If the specified logoutExitPage is not valid, a default page indicating successful logout is displayed.

The fix for this APAR is currently targeted for inclusion in fixpack 6.0.2.33 and 6.1.0.23.

Please refer to the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Prerequisites

Please download the UpdateInstaller below to install this fix.

[{"PRLabel":"UpdateInstaller","PRLang":"US English","PRSize":"7250000","PRPlat":{"label":"AIX","code":"PF002"},"PRURL":"http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991"}]

Installation Instructions

Please review the readme.txt for detailed installation instructions.

[{"INLabel":"Readme","INLang":"US English","INSize":"7109","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK71126/readme.txt"}]
On
[{"DNLabel":"6.1.0.19-WS-WAS-IFPK71126C","DNDate":"12/16/2008","DNLang":"US English","DNSize":"79408","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.19-WS-WAS-IFPK71126C&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch++","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK71126/6.1.0.19-WS-WAS-IFPK71126C.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PK71126/6.1.0.19-WS-WAS-IFPK71126C.pak"},{"DNLabel":"6.1.0.19-WS-WAS-IFPK71126CE","DNDate":"12/16/2008","DNLang":"US English","DNSize":"79065","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.19-WS-WAS-IFPK71126CE&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch++","DNURL_FTP":" ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK71126/6.1.0.19-WS-WAS-IFPK71126CE.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PK71126/6.1.0.19-WS-WAS-IFPK71126CE.pak"},{"DNLabel":"6.0.2.29-WS-WAS-IFPK71126","DNDate":"12/16/2008","DNLang":"US English","DNSize":"35896","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.19-WS-WAS-IFPK71126&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch+","DNURL_FTP":" ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK71126/6.0.2.29-WS-WAS-IFPK71126.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PK71126/6.0.2.29-WS-WAS-IFPK71126.pak"},{"DNLabel":"5.0.2.18-WS-WAS-IFPK71126","DNDate":"12/16/2008","DNLang":"US English","DNSize":"20149","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK71126/5.0.2.18-WS-WAS-IFPK71126.jar","DNURL_FTP":" ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK71126/5.0.2.18-WS-WAS-IFPK71126.jar","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PK71126/5.0.2.18-WS-WAS-IFPK71126.jar"},{"DNLabel":"5.1.1.19-WS-WAS-IFPK71126","DNDate":"12/16/2008","DNLang":"US English","DNSize":"23919","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK71126/5.1.1.19-WS-WAS-IFPK71126.jar","DNURL_FTP":" ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK71126/5.1.1.19-WS-WAS-IFPK71126.jar","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PK71126/5.1.1.19-WS-WAS-IFPK71126.jar"}]

Technical Support

Contact IBM Support using SR (http://www-306.ibm.com/software/support/probsub.html), visit the WebSphere Application Server Support Web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV(U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.1.0.21;6.1.0.19;6.0.2.31;6.0.2.29;5.1.1.19","Edition":"Base;Express;Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg24021527