PK71126; 6.1.0.21: Need to limit the redirection

Downloadable files


Abstract

The destination of form logout exit page is not restricted.

Download Description

PK71126 resolves the following problem:

ERROR DESCRIPTION:
The ibm_security_logout servlet allows the specification of a web page to be displayed after the logout processing completes. This web page is currently unrestricted so the user can be redirected anywhere. There needs to be a mechanism in place to limit the redirection to specific locations.

LOCAL FIX: None

PROBLEM SUMMARY: The destination of form logout exit page is not restricted.

USERS AFFECTED:
All users of IBM WebSphere Application Server running with security enabled.

PROBLEM DESCRIPTION:
The destination of form logout exit page is not restricted.

RECOMMENDATION:
None

The destination of form logout exit page is not restricted. This opens up a potential vulnerability.

PROBLEM CONCLUSION:
The code has been modified to restrict the logoutExitPage redirection to within the same host that is processing the current request. If redirection to other hosts is required, one of the following security custom properties must be specified:

com.ibm.websphere.security.allowAnyLogoutExitPageHost=true/false
When true, the redirection is unrestricted, and the following property is ignored. The default is false.

com.ibm.websphere.security.logoutExitPageDomainList=<host1|host2|host3>
This is a list of hosts that are valid targets for the redirection specified by logoutExitPage. The separator is the vertical bar. There is no default.

If the specified logoutExitPage is not valid, a default page indicating successful logout is displayed.

The fix for this APAR is currently targeted for inclusion in fixpack 6.0.2.33 and 6.1.0.23.

Please refer to the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Prerequisites

Please download the UpdateInstaller below to install this fix.

URL LANGUAGE SIZE(Bytes)
UpdateInstaller US English 7250000

Installation Instructions

Please review the readme.txt for detailed installation instructions.

URL LANGUAGE SIZE(Bytes)
Readme US English 7109

Download package


Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
What is Fix Central (FC)?
What is DD?
6.1.0.19-WS-WAS-IFPK71126C 12/16/2008 US English 79408 FC FTP DD
6.1.0.19-WS-WAS-IFPK71126CE 12/16/2008 US English 79065 FC FTP DD
6.0.2.29-WS-WAS-IFPK71126 12/16/2008 US English 35896 FC FTP DD
5.0.2.18-WS-WAS-IFPK71126 12/16/2008 US English 20149 FC FTP DD
5.1.1.19-WS-WAS-IFPK71126 12/16/2008 US English 23919 FC FTP DD

Technical support

Contact IBM Support using SR (http://www-306.ibm.com/software/support/probsub.html), visit the WebSphere Application Server Support Web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV(U.S. only).

Problems (APARS) fixed
PK71126

Rate this page:

(0 users)Average rating

Document information


More support for:

WebSphere Application Server
Security

Software version:

5.1.1.19, 6.0.2.29, 6.0.2.31, 6.1.0.19, 6.1.0.21

Operating system(s):

AIX, HP-UX, IBM i, Linux, Solaris, Windows

Software edition:

Base, Express, Network Deployment

Reference #:

4021527

Modified date:

2008-12-17

Translate my page

Machine Translation

Content navigation