Fix (APAR): PK25851 Status: Fix Release: 5.0.2.18, 5.0.2.17, 5.0.2.16 Operating System: AIX,HP-UX,Linux,Solaris, Windows Supersedes Fixes: CMVC Defect: PK25851 Byte size of APAR: 26324 Date: 2006-06-30 Abstract: This is a security vulnerability issue where malicious users can give html scripts as input to some administrative console pages and thereby access sensitive information. Description/symptom of problem: PK25851 resolves the following problem: ERROR DESCRIPTION: PK17838 also occurs on the v5.0 release yet a fix was only made for v5.1 and v6.0. We need to backport the fix to the v5.0 release as well. LOCAL FIX: none PROBLEM SUMMARY USERS AFFECTED: Users of the administrative console application of Websphere Application Server version 5.0.2. PROBLEM DESCRIPTION: This is a security vulnerability issue where malicious users can give html scripts as input to some administrative console pages and thereby access sensitive information. RECOMMENDATION: None This issue is caused because HTML characters are not escaped when data is output by the GUI. PROBLEM CONCLUSION: As part of the code fix HTML input is encoded and sanitized so that the value is not interpreted but treated as normal input. There will be no more service packs for version 5.0.2. The fix for this APAR will be available via iFix. Directions to apply fix: NOTE: Choose the: 1) Release the fix applies to 2) The Editions that apply 3) Delete the Editions & Methods that do not apply and this Note Fix applies to Editions: Release: 5.0 5.1 ___ ___ Application Server (Express or BASE) ___ Enterprise Edition (DD) ___ ___ Network Deployment (ND) ___ ___ Edge Components ___ ___ Developers Edition ___ ___ Tools ___ WebSphere Business Integration Server Foundation (WBISF) Install Fix to: Method: __ Application Server Nodes __ Deployment Manager Nodes __ Both NOTE: The user must: * Have Administrative rights in Windows, or be the Actual Root User in a UNIX environments. * Be logged in with the same authority level when unpacking a fix, fix pack or refresh pack. The Update Installer can be downloaded from the following link: http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991 The Update Installer for V5.0 does not have a maintenance directory. It uses fixpacks and fixes as the location of the unpacked files. 1) Copy PKxxxxx.jar file directly to the maintenance directory 2) Shutdown WebSphere Manually execute setupCmdLine.bat in Windows or . ./setupCmdLine.sh in Unix from the WebSphere instance that maintenance is being applied to. 3) Launch Update Installer 4) Enter the installation location of the WebSphere product you want to update. 5) Select the "Install maintenance package" operation. 6) Enter the file name of the maintenance package to install (PKxxxxx.jar file which was copied in the maintenance directory). The V5.0 and V5.1 fix packs and fixes are unpacked as .jar files and should be unpacked into fixpacks or fixes directory. 7) Install the maintenance package. 8) Restart WebSphere Directions to remove fix: NOTE: * The user must have Administrative rights in Windows, or be the Actual Root User in a UNIX environments. * FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED * DO NOT REMOVE A FIX UNLESS ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED * YOU MAY REAPPLY ANY REMOVED FIX Example: If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be removed, fix3 must be removed first, fix2 removed, and fix3 re-applied. 1) Shutdown WebSphere Manually execute setupCmdLine.bat in Windows or . ./setupCmdLine.sh in Unix from the WebSphere instance that uninstall is being run against. 2) Start Update Installer 3) Enter the installation location of the WebSphere product you want to remove the fix. 4) Select "Uninstall maintenance package" operation. 5) Enter the file name of the maintenance package to uninstall (PKxxxxx.jar). 6) UnInstall maintenance package. 7) Restart WebSphere Directions to re-apply fix: 1) Shutdown WebSphere. 2) Follow the Fix instructions to apply the fix. 3) Restart WebSphere. Additional Information: