PQ66641: SECURITY HOLE CONCERNING SCRIPT TAGS AND WEB GROUP NOT FOUND EXCEPTIONS. | |||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||
APAR status Closed as program error. Error description Internal IBM Security team has located a possible security hole concerning invalid web group names and script tags. This is a fix that is an extension to the original script tag security hole apar PQ47386.Local fix Problem summary **************************************************************** * USERS AFFECTED: All WebSphere Application Server * * installations. * **************************************************************** * PROBLEM DESCRIPTION: Certain script tags in URLs may allow * * access to users local file system. * **************************************************************** * RECOMMENDATION: * **************************************************************** Most web browsers have the capability to interpret scripts embedded in web pages downloaded from a web server. Such scripts may be written in a variety of scripting languages and are run by the client's browser. Most browsers are installed with the capability to run scripts enabled by default. Details can be found at: http://www.cert.org/advisories/CA-2000-02.htmlProblem conclusion Changed all ServletExceptions to encode exceptions sent back to the client.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: PQ66627 APAR is sysrouted TO one or more of the following: Modules/Macros
|
Document Information |
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ66641
IBM Group: Software Group
Modified date: Sep 26, 2002
(C) Copyright IBM Corporation 2000, 2006. All Rights Reserved.