IBM WebSphere Application Server Unspecified HTTP Response Splitting Vulnerability

Bugtraq ID:	23086
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Mar 21 2007 12:00AM
Updated:	Mar 21 2007 10:43PM
Credit:	The vendor disclosed this issue.
Vulnerable:	IBM Websphere Application Server 6.0.2
Not Vulnerable:	IBM Websphere Application Server 6.1 .5 IBM Websphere Application Server 6.1 .4 IBM Websphere Application Server 6.1 .3 IBM Websphere Application Server 6.1 .2 IBM Websphere Application Server 6.1 .1 IBM Websphere Application Server 6.1

IBM WebSphere Application Server Unspecified HTTP Response Splitting Vulnerability

IBM WebSphere Application Server is prone to an HTTP-response-splitting vulnerability because the application fails to properly sanitize user-supplied input.

A remote attacker may exploit this vulnerability to influence or misrepresent how web content is served, cached, or interpreted. This could aid in various attacks that attempt to entice client users into a false sense of trust.

This issue affects version 6.0.2.

IBM WebSphere Application Server Unspecified HTTP Response Splitting Vulnerability

To exploit this issue, an attacker must entice an unsuspecting victim into following a malicious URI.

IBM WebSphere Application Server Unspecified HTTP Response Splitting Vulnerability

Solution:
The vendor released fixes in versions 6.1.0 and above to address this issue. Please contact the vendor for details on obtaining and applying fixes.

IBM WebSphere Application Server Unspecified HTTP Response Splitting Vulnerability

References:

• IBM Websphere Homepage (IBM)
  
• PK39732: HTTP RESPONSE SPLITTING VULNERABILITY (IBM)