IBM WebSphere应用服务器管理员控制台跨站脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117425 漏洞类型 跨站脚本
发布时间 2009-02-26 更新时间 2009-04-01
CVE编号 CVE-2009-0855 CNNVD-ID CNNVD-200903-182
漏洞平台 Multiple CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/32839
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200903-182
|漏洞详情
IBMWebsphere应用服务器以Java和Servlet引擎为基础,支持多种HTTP服务,可帮助用户完成从开发、发布到维护交互式的动态网站的所有工作。Websphere应用服务器的管理员控制台存在跨站脚本漏洞,远程攻击者可以通过未明向量执行跨站脚本攻击。
|漏洞EXP
source: http://www.securityfocus.com/bid/34001/info

IBM WebSphere Application Server (WAS) is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

This issue affects versions prior to WAS 6.1.0.23 and 7.0.0.3. 

http://www.example.com/ibm/console/<script>alert('DSecRG_XSS')</script>
http://www.example.com/ibm/console/<script>alert('DSecRG_XSS')</script>.jsp
|参考资料

来源:VUPEN
名称:ADV-2009-0854
链接:http://www.vupen.com/english/advisories/2009/0854
来源:VUPEN
名称:ADV-2009-0607
链接:http://www.vupen.com/english/advisories/2009/0607
来源:BID
名称:34259
链接:http://www.securityfocus.com/bid/34259
来源:BID
名称:34001
链接:http://www.securityfocus.com/bid/34001
来源:AIXAPAR
名称:PK82988
链接:http://www-01.ibm.com/support/docview.wss?uid=swg1PK82988
来源:AIXAPAR
名称:PK81212
链接:http://www-01.ibm.com/support/docview.wss?uid=swg1PK81212
来源:AIXAPAR
名称:PK77505
链接:http://www-01.ibm.com/support/docview.wss?uid=swg1PK77505
来源:SECUNIA
名称:34461
链接:http://secunia.com/advisories/34461
来源:SECUNIA
名称:34131
链接:http://secunia.com/advisories/34131