Title: IBM WebSphere Cross-Site Scripting Vulnerability
Severity: HIGH
Description:
IBM WebSphere is a series of commercial webserver and webserver related products.
IBM WebSphere does not filter script embedding from user-submitted links that are displayed on the server's websites. This problem is related to an input validation error in the JavaServlet Container.
A malicious webmaster can exploit this vulnerability to cause JavaScript commands or embedded scripts to be executed by any user who clicks on the hyper-link. This vulnerability may be exploited in forums, guestbooks, or other applications that allow users to submit information that will be displayed in web pages.
When the malicious hyper-link is clicked it will produce the standard error message for the webserver, but it will also run the arbitrary code in the same browser as the domain. This also has the effect of obfuscating the attacker, as the script appears to be executed from the trusted host.
Scenarios: The attacker must identify a website on a vulnerable host which will allow user-supplied information to be displayed in a web page.
The attacker submits a link on the website that embeds and points to the malicious script.
Affected Products:
- IBM Websphere Application Server 3.0.2
- IBM Websphere Application Server 3.5.0
References:
- IBM: IBM WebSphere Application Server Announcement(in Japanese)
- IBM: IBM WebSphere Application Server Product Page
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
