IBM WebSphere Application Server Error Page Cross-Site Scripting Vulnerability

Bugtraq ID:	13349
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Apr 25 2005 12:00AM
Updated:	Apr 25 2005 12:00AM
Credit:	Discovery credited to Dr_insane.
Vulnerable:	IBM Websphere Application Server 6.0
Not Vulnerable:

IBM WebSphere Application Server Error Page Cross-Site Scripting Vulnerability

IBM WebSphere is prone to a cross-site scripting vulnerability in default error message pages.

An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected Web site. This may facilitate the theft of cookie-based authentication credentials; other attacks are also possible.

IBM WebSphere 6.0 was reported to be prone to this issue; other versions may also be vulnerable.

IBM WebSphere Application Server Error Page Cross-Site Scripting Vulnerability

An exploit is not required.

IBM WebSphere Application Server Error Page Cross-Site Scripting Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.

IBM WebSphere Application Server Error Page Cross-Site Scripting Vulnerability

References:

• IBM WebSphere Application Server Product Page (IBM)