PK15571; 5.1.1.7: Inserting certain script tags in URLs may allow execution
 Downloadable files
 
Abstract
Inserting certain script tags in the SnoopServlet URL may allow the unintended execution of scripts.
 
Download Description
PK15571 resolves the following problem:

ERROR DESCRIPTION:
Most web browsers have the capability to interpret scripts embedded in web pages downloaded from a web server. Such scripts may be written in a variety of scripting languages and are run by the client's browser. Most browsers are installed with the capability to run scripts enabled by default.

This APAR is for Snoop servlet, which allows scripts to be executed by browsers. This exposes Snoop servlet to potential security risks when executed with the following URL:
'http://localhost:9080/snoop/<script>alert('Vulnerable')</script>'

Details can be found at: http://www.cert.org/advisories/CA-2000-02.html Defects 96236 and 97003

LOCAL FIX:
none

PROBLEM SUMMARY

USERS AFFECTED:
IBM® WebSphere® Application Server Default Application or Snoop servlet users

PROBLEM DESCRIPTION:
Inserting certain script tags in the SnoopServlet URL may allow the unintended execution of scripts.

RECOMMENDATION:
None

Most web browsers have the capability to interpret scripts embedded in web pages downloaded from a web server. Such scripts may be written in a variety of scripting languages and are run by the client's browser. Most browsers are installed with the capability to run scripts enabled by default.

This APAR is for Snoop servlet, which allows scripts to be executed by browsers. This exposes Snoop servlet to potential security risks when executed with the following URL:
'http://localhost:9080/snoop/<script>alert('Vulnerable')</script>'

Details can be found at:
http://www.cert.org/advisories/CA-2000-02.html


PROBLEM CONCLUSION:
Fixed the exposure. Fix targeted for version 6.0.2.5

Please refer to the recommended updates page for delivery information:
General/swg27004980.html
 
Prerequisites
Please download the UpdateInstaller below to install this fix.
 
URL LANGUAGE SIZE(Bytes)
UpdateInstaller US English 7250000
 
 
Installation Instructions
Please review the readme.txt for detailed installation instructions.
 
URL LANGUAGE SIZE(Bytes)
Readme US English 5828
 
Download package
What is DD?
Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
PK15571-502 01-13-2006 US English 37970 FTP DD
PK15571-511 01-13-2006 US English 83140 FTP DD
 
Technical support
Contact IBM Support using ESR (http://www-306.ibm.com/software/support/probsub.html), visit the WebSphere Application Server Support Web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers Runtimes for Java Technology Java SDK
Problems (APARS) fixed
PK15571
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Samples
Operating system(s): Windows
Software version: 5.1.1
Software edition:
Reference #: 4011435
IBM Group: Software Group
Modified date: Jan 20, 2006