IBM Tivoli Business Systems Manager APWC_Win_Main.JSP Cross-Site Scripting Vulnerability

Bugtraq ID:	17210
Class:	Input Validation Error
CVE:	CVE-2006-1384
Remote:	Yes
Local:	No
Published:	Mar 23 2006 12:00AM
Updated:	Jun 27 2007 09:08PM
Credit:	The vendor disclosed this issue.
Vulnerable:	IBM Tivoli Business Systems Manager 3.1
Not Vulnerable:

IBM Tivoli Business Systems Manager APWC_Win_Main.JSP Cross-Site Scripting Vulnerability

IBM Tivoli Business Systems Manager is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.

An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

IBM Tivoli Business Systems Manager APWC_Win_Main.JSP Cross-Site Scripting Vulnerability

This issue can be exploited through a web client.

An example URI has been provided:

http://www.example.com:9443/TbsmWebConsole/help/en/jsp/apwc_win_main.jsp?skin=[XSS]

IBM Tivoli Business Systems Manager APWC_Win_Main.JSP Cross-Site Scripting Vulnerability

Solution:
IBM has released an advisory along with fixes to address this issue. Please see the referenced advisory for further information on obtaining fixes.

IBM Tivoli Business Systems Manager APWC_Win_Main.JSP Cross-Site Scripting Vulnerability

References:

• OA14904: INSUFFICIENT VALIDATION OF THE SKIN PARAMETER VALUE LEADING TO A TBSM C (IBM)
  
• Tivoli Business Systems Manager Product Page (IBM)