Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://corelabs.coresecurity.com/
IBM WebSphere Application Server Cross-Site Request Forgery
1. *Advisory Information*
Title: IBM WebSphere Application Server Cross-Site Request Forgery
===========
I. Overview
===========
During a penetration test performed by Hacktics' experts, certain
vulnerabilities were identified in an IBM Websphere Portal Server and Lotus
Web Content Management deployment. Further research has identified that the
login page of the IBM Lotus Workplace Web Content Management is vulnerable
to Reflected Cross Site Scripting attacks.
A friendly formatted version of this advisory is available in:
===============================================
Vendor: Apache Software Foundation (http://www.apache.org)
Product: Apache MyFaces (http://myfaces.apache.org/)
Versions affected: 1.2.8 and 1.1.7 are confirmed as
vulnerable. All previous versions are likely vulnerable.
Related products: Some versions of IBM WebSphere Application
Server (at least 6.x and 7.x) ship with Apache MyFaces
[8,9]
Description:
MyFaces is an open source implementation of the JavaServer
Methods: POST, GET
Protocols: HTTP, HTTPS
4. Adobe LiveCycle ES2
Windows XP SP2 / IBM Websphere 7.0
Endpoint URIs:
{server.name}:{server.port}/
{context.root}/messagebroker/http
===============================================
Vendor: Apache Software Foundation (http://www.apache.org)
Product: Apache MyFaces (http://myfaces.apache.org/)
Versions affected: 1.2.8 and 1.1.7 are confirmed as
vulnerable. All previous versions are likely vulnerable.
Related products: Some versions of IBM WebSphere Application
Server (at least 6.x and 7.x) ship with Apache MyFaces
[8,9]
Description:
MyFaces is an open source implementation of the JavaServer
===============================================
Vendor: Apache Software Foundation (http://www.apache.org)
Product: Apache MyFaces (http://myfaces.apache.org/)
Versions affected: 1.2.8 and 1.1.7 are confirmed as
vulnerable. All previous versions are likely vulnerable.
Related products: Some versions of IBM WebSphere Application
Server (at least 6.x and 7.x) ship with Apache MyFaces
[8,9]
Description:
MyFaces is an open source implementation of the JavaServer
===============================================
Vendor: Apache Software Foundation (http://www.apache.org)
Product: Apache MyFaces (http://myfaces.apache.org/)
Versions affected: 1.2.8 and 1.1.7 are confirmed as
vulnerable. All previous versions are likely vulnerable.
Related products: Some versions of IBM WebSphere Application
Server (at least 6.x and 7.x) ship with Apache MyFaces
[8,9]
Description:
MyFaces is an open source implementation of the JavaServer
* Satellite Systems - Adam Laurie, RFIDIOt.org
* Browser Exploits - Attacks and Defense - Saumil Shah, Net Square
* WebSphere MQ Security - Martyn Ruks, MWR InfoSecurity
Paper synopses are now up on the website.
This year there will be three Security Masters Dojo courses
on May 19/20, including a new course from Foundstone:
Users of other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the handling of path parameters has been modified.
Users of Geronimo 2.2 with Jetty 7 are not affected.
Users of IBM WebSphere Application Server 6.1 and 7.0 are known to be affected.
Users of other containers that implement the Servlet specification may be affected.
Mitigation:
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-013
!!! official advisory: !!!
http://dsecrg.com/pages/vul/DSECRG-09-013.html
Application: IBM WebSphere Application Server
Versions Affected: 7.0 and 6.1
Vendor URL: http://www.ibm.com/websphere/
Bug: Multiple XSS Vulnerabilities
Exploits: YES
Reported: 01.11.2008
IRM, leaders in messaging systems security, have discovered six remote
vulnerabilities in IBM WebSphere MQ 6.0. The vulnerabilities are
currently being investigated by IBM and once patches have been
developed, advisories will be published including full technical details
and links to patch download information.
More information is available here:
http://www.irmplc.com/index.php/158-Messaging-System-Security
