PQ91361; 4.0.7: HTTP response splitting security vulnerability
 Downloadable files
 
Abstract
HTTP response splitting security vulnerability
 
Download Description
PQ91361 resolves the following problem:

PROBLEM SUMMARY:

USERS AFFECTED:
WebSphere Application Server must prevent response splitting attack.

PROBLEM DESCRIPTION:
When a particular type of invalid HTTP header is used, it splits the response into two or more responses. Clients who receive such responses can be mislead or redirected to a malicious site, and thus expose client information to the malicious server. The fix to resolve this vulnerability blocks the invalid HTTP headers so that HTTP response splitting cannot occur. In case such an invalid header is sent, IllegalArgumentException will be thrown that triggers a 500 server error. The error is also logged into FFDC, as well as SystemErr.log.

RECOMMENDATION:
This Fix ensures HTTP header name and value does not allow certain sequences to exploit this vulnerability. Attempts to do so will result in an IllegalArgumentException, and the error will be logged in error log.
 
Prerequisites
NONE
 
 
Installation Instructions
Please review the readme.txt for detailed installation instructions.
 
URL LANGUAGE SIZE(Bytes)
Readme US English 2551
 
Download package
What is DD?
Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
PQ91361_Fix_407 7/14/2004 US English 1073609 FTP DD
 
Technical support
1-800-IBM-SERV (U.S. Only)
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers Runtimes for Java Technology Java SDK
Problems (APARS) fixed
PQ91361
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Servlet Engine/Web Container
Operating system(s): Windows
Software version: 5.0
Software edition:
Reference #: 4007466
IBM Group: Software Group
Modified date: Aug 17, 2004