Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2010.0203
Security Risk with Fix Available: Web Content Management login page
vulnerable to cross site scripting attacks, also affects WebSphere Portal
and Quickr services for WebSphere Portal
26 February 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: WebSphere Portal, Lotus Web Content Management and
Workspace Web Content Management 5.1.0.0, 5.1.0.1,
5.1.0.2, 5.1.0.3, 5.1.0.4, 5.1.0.5
WebSphere Portal, Lotus Web Content Management and
Workspace Web Content Management 6.0.0.0, 6.0.0.1,
6.0.0.2, 6.0.0.3, 6.0.0.4
WebSphere Portal, Lotus Web Content Management and
Workspace Web Content Management 6.1.0.0, 6.1.0.1,
6.1.0.2, 6.1.0.3, 6.1.0.4, 6.1.0.5, 6.1.0.6,
6.1.0.7
Lotus Quickr 8.0, 8.0.0.2, 8.1, 8.1.1, 8.1.1.1
Publisher: IBM
Operating System: AIX
HP-UX
Linux variants
Solaris
Windows
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21421469
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Risk with Fix Available: Web Content Management login page vulnerable
to cross site scripting attacks, also affects WebSphere Portal and Quickr
services for WebSphere Portal
Flash (Alert)
Abstract
A script can be injected into a URL pointing at a vulnerable login page. This
URL could be sent to users (such as in a phishing mail). Users following this
link would be executing the injected script.
Content
A vulnerability has been reported to IBM by Hacktics, Ltd., describing that the
login page of the IBM Lotus Workplace Web Content Management is susceptible to
Reflected Cross Site Scripting attacks.
Overall CVSS Score 6.8
Affected Systems: All Web Content Management systems and all WebSphere Portal
installations are affected even if the Web Content Management component is not
active. IBM Lotus Quickr Services for WebSphere Portal is also affected.
IBM Recommendation:
* If your environment is protected behind an HTTP server infrastructure,
IBM recommends blocking access to the URI <wps_contextroot>/wcm/webinterface
(for example, where <wps_contextroot> = wps).
* If you are unable to block access, then remove the login page as
documented in the technote "Steps to disable access to the login.jsp"
(#1421874).
* If you do require Web access to this page, install the appropriate fix
as found in the table below.
WebSphere Portal, Lotus Web Content Management and Workplace Web Content
Management:
Version: Fix: Comment
6.1.0.3, 6.1.5.0 Install the fix for PM03233 Available from Fix
Central (link).
Targeted for inclusion
in CF 27 and later.
6.1.0.1, 6.1.0.2, Install Cumulative Fix (CF) Download the current
24 or later Cumulative Fix from the
Recommended Updates
page.
6.1.0.0 Install the fix for PM03233 Available from Fix
Central (link)
6.0.1.7 Install Cumulative Fix (CF) Download the current
37 or later Cumulative Fix from the
Recommended Updates
page.
6.0.1.4, 6.0.1.5, Install Cumulative Fix (CF) Download the current
6.0.1.6 34 or later Cumulative Fix from
the Recommended Updates
page.
6.0.1.3 Install the fix for PM03233 Available on request
from IBM Technical
Support.
6.0.1.0, 6.0.1.1, Upgrade to V6.0.1.3 or a If you are unable to
6.0.1.2 higher fix pack level and update the server to
install the fix for PM03233 V6.0.1.3 or higher,
disable access to the
login page.
6.0.0.4 Install the fix for PM03233 Available on request
from IBM Technical
Support.
6.0.0.0, 6.0.0.1, Upgrade to V6.0.0.4 or a If you are unable to
6.0.0.2, 6.0.0.3 higher fix pack level and update the server to
install the fix for PM03233 V6.0.0.4 or higher,
disable access to the
login page.
5.1.0.5 Install the fix for PM03233 Available on request
from IBM Technical
Support.
5.1.0.0, 5.1.0.1, Upgrade to V5.1.0.5 and If you are unable to
5.1.0.2, 5.1.0.3, install the fix for PM03233 update the server to
5.1.0.4 V5.1.0.5, disable
access to the login
page.
Lotus Quickr services for WebSphere Portal
8.1, 8.1.1, 8.1.1.1 Install the fix for PM03233 Available from Fix
Central (link)
8.0.0.2 Install the fix for PM03233 Available from Fix
Central (link)
8.0 Upgrade to V8.0.0.2 or higher If you are unable to
and install the fix for update the server to
PM03233 V8.0.0.2 or higher,
disable access to the
login page.
Cross Reference information
Segment Product Component Platform Version Edition
Enterprise Workplace Security & AIX, HP-UX, 6.0, 5.1.0.5, Java
Content Web Content User i5/OS, Linux, 5.1.0.4, edition
Management Management Management Solaris, 5.1.0.3,
Windows, z/OS 5.1.0.1, 5.1.0
Organizational WebSphere Security AIX, HP-UX, 6.1, 6.0 Enable,
Productivity- Portal i5/OS, Linux, Extend,
Portals & Solaris, Server,
Collaboration Windows, z/OS Express
Organizational WebSphere Security AIX, HP-UX, 5.1.0.5, Enable,
Productivity- Portal End of i5/OS, Linux, 5.1.0.4, Experience,
Portals & Support Solaris, 5.1.0.3, Extend
Collaboration Products Windows, z/OS 5.1.0.2,
5.1.0.1,
5.1.0.0, 5.1
Organizational Lotus Quickr Security 8.1 All
Productivity- services for Editions
Portals & WebSphere
Collaboration Portal
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines
Corp., registered in many jurisdictions worldwide. Other product and service
names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at "Copyright and trademark information" at
www.ibm.com/legal/copytrade.shtml.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFLhyN//iFOrG6YcBERAqKtAJ0czn1OFJ7Hb2RZspw+4MHsue+18wCggsjS
1oSg+W7/ZA5uj15a7alDXk4=
=LR93
-----END PGP SIGNATURE-----