-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2011.0087
A vulnerability has been identified in IBM WebSphere ILOG Rule Team Server
                              12 October 2011

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              IBM WebSphere ILOG Rule Team Server
Operating System:     AIX
                      HP-UX
                      Linux variants
                      Solaris
                      Windows
Impact/Access:        Cross-site Scripting -- Remote with User Interaction
Resolution:           Mitigation
Member content until: Friday, November 11 2011

OVERVIEW

        A vulnerability has been identified in IBM WebSphere ILOG Rule Team
        Server version 711.


IMPACT

        The vendor has provided the following information regarding this
        vulnerability which could allow a cross-site scripting attack:
        
        "Entering the following url while logged in a RTS session shows
        a security vulnerability:
        
        http://localhost:8080/teamserver/faces/home.jsp?project='current 
        " [1]


MITIGATION

        The vendor has provided the following workaround to mitigate
        this vulnerabiliy [1]:
        
        In teamserver.war/content/error.jsp
        Replace:
           message="#{ErrorMessageActionBean.message}" with
        with:
          message="#{bundle.unknownError}"


REFERENCES

        [1] RS00803: VULNERABILITY WITH PROJECT NOT FOUND ERROR
            http://www-01.ibm.com/support/docview.wss?uid=swg1RS00803

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTpTwGu4yVqjM2NGpAQI6dg/9Hzop1Z5SNxpqm3CGgoGYz7KFmBlZI/zQ
GjUqXM4BaUbX7gEVQAUDvE0FPt4N1RBRt+joH4aP0RzBXNb5HhodKScaLm6c+zSu
Bxb7QCm2VsphViwsPpTXi3/TXDYeqdvKQEZfG0WfJA1Pawk5MO8hIDaM9MqBvaP9
OWkZaPFQsEZJpf3EO+bARY3aOq0dT2eqMRftBGxUQydJg6aDWUheDEnAbjpSqW31
fR2AaAeulm3hi9TPwpRhal31Q+gwf0Oov9WOEneXty7iWfEGVynCsNZfiIV6jozK
S6F0SKewiFBlwnSrgX2/7YE9yRAe/hWSabwV8znkrwVmegoR5JNbTsof09dUkMSI
oGKLHCPB5Rja7/4VNrtPpIBeGurONRtHBQGK/SV865IreROBu7xdI6h79O7i3UUl
9PLBKNqfF1VVZ5CobBcUIkP6A3iK8nBPB/FeARDem953Pid0DDio2pQ43+7DKtbt
Ki7iDMJpQnpw3F4hk8qT58aDN3hPLmXxLRZmesYMJzogMJt3v34moEsHkMddBBxG
1RtdgIDQxy0O3bwGP0pzUOEebaOvhWf113B3b/GMl5TFUClOW7Q3BknWMpCm/2bD
iMHOmy90sziqo1Wx0DaH7nPe3BllG6BLVWiE5ZrPTaKGHOEuubo9q/2VR0UqJWMi
fXzLeyk7ACA=
=U2OA
-----END PGP SIGNATURE-----