PQ66641: SECURITY HOLE CONCERNING SCRIPT TAGS AND WEB GROUP NOT FOUND EXCEPTIONS.

APAR status
Closed as program error.

Error description
Internal IBM Security team has located a possible security hole
concerning invalid web group names and script tags.  This is
a fix that is an extension to the original script tag security
hole apar PQ47386.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All WebSphere Application Server             *
*                 installations.                               *
****************************************************************
* PROBLEM DESCRIPTION: Certain script tags in URLs may allow   *
*                      access to users local file system.      *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Most web browsers have the capability to interpret scripts
embedded in web pages downloaded from a web server. Such
scripts may be written in a variety of scripting languages
and are run by the client's browser. Most browsers are
installed with the capability to run scripts enabled by
default.
Details can be found at:

http://www.cert.org/advisories/CA-2000-02.html
Problem conclusion
Changed all ServletExceptions to encode exceptions sent
back to the client.
Temporary fix Comments
APAR information
APAR number PQ66641
Reported component name WEBSPHERE AE NT
Reported component ID 5630A2201
Reported release 400
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2002-09-26
Closed date 2002-09-26
Last modified date 2002-09-26

APAR is sysrouted FROM one or more of the following:
PQ66627

APAR is sysrouted TO one or more of the following:

Modules/Macros
ENGINE          

Fix information
Fixed component name WEBSPHERE AE NT
Fixed component ID 5630A2201

Applicable component levels
R400 PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ66641
IBM Group: Software Group
Modified date: Sep 26, 2002