Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2011.0087 A vulnerability has been identified in IBM WebSphere ILOG Rule Team Server 12 October 2011 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM WebSphere ILOG Rule Team Server Operating System: AIX HP-UX Linux variants Solaris Windows Impact/Access: Cross-site Scripting -- Remote with User Interaction Resolution: Mitigation Member content until: Friday, November 11 2011 OVERVIEW A vulnerability has been identified in IBM WebSphere ILOG Rule Team Server version 711. IMPACT The vendor has provided the following information regarding this vulnerability which could allow a cross-site scripting attack: "Entering the following url while logged in a RTS session shows a security vulnerability: http://localhost:8080/teamserver/faces/home.jsp?project='current " [1] MITIGATION The vendor has provided the following workaround to mitigate this vulnerabiliy [1]: In teamserver.war/content/error.jsp Replace: message="#{ErrorMessageActionBean.message}" with with: message="#{bundle.unknownError}" REFERENCES [1] RS00803: VULNERABILITY WITH PROJECT NOT FOUND ERROR http://www-01.ibm.com/support/docview.wss?uid=swg1RS00803 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTpTwGu4yVqjM2NGpAQI6dg/9Hzop1Z5SNxpqm3CGgoGYz7KFmBlZI/zQ GjUqXM4BaUbX7gEVQAUDvE0FPt4N1RBRt+joH4aP0RzBXNb5HhodKScaLm6c+zSu Bxb7QCm2VsphViwsPpTXi3/TXDYeqdvKQEZfG0WfJA1Pawk5MO8hIDaM9MqBvaP9 OWkZaPFQsEZJpf3EO+bARY3aOq0dT2eqMRftBGxUQydJg6aDWUheDEnAbjpSqW31 fR2AaAeulm3hi9TPwpRhal31Q+gwf0Oov9WOEneXty7iWfEGVynCsNZfiIV6jozK S6F0SKewiFBlwnSrgX2/7YE9yRAe/hWSabwV8znkrwVmegoR5JNbTsof09dUkMSI oGKLHCPB5Rja7/4VNrtPpIBeGurONRtHBQGK/SV865IreROBu7xdI6h79O7i3UUl 9PLBKNqfF1VVZ5CobBcUIkP6A3iK8nBPB/FeARDem953Pid0DDio2pQ43+7DKtbt Ki7iDMJpQnpw3F4hk8qT58aDN3hPLmXxLRZmesYMJzogMJt3v34moEsHkMddBBxG 1RtdgIDQxy0O3bwGP0pzUOEebaOvhWf113B3b/GMl5TFUClOW7Q3BknWMpCm/2bD iMHOmy90sziqo1Wx0DaH7nPe3BllG6BLVWiE5ZrPTaKGHOEuubo9q/2VR0UqJWMi fXzLeyk7ACA= =U2OA -----END PGP SIGNATURE-----