If you are running WAS 7, be sure and check your fix packs today. We recommend you patch them to the latest of 220.127.116.11 or 18.104.22.168 at the latest. There is a cross-site scripting vulnerability you need to be aware of, as reported by Core Security Technologies
Core Security Technologies Advisory - The administrative console of IBM WebSphere Application Server is vulnerable to Cross-Site Request Forgery (CSRF) attacks, which can be exploited by remote attackers to force a logged-in administrator to perform unwanted actions on the IBM WebSphere administrative console, by enticing him to visit a malicious web page. Versions 22.214.171.124 and 126.96.36.199 are confirmed vulnerable.Core Security Technologies, Francisco Falcon
The IBM fix list shows that WAS 188.8.131.52 corrects this issue (APAR PK77505)
If you are totally, blissfully oblivious to XSS attacks, you should watch this video.
<iframe width="560" height="349" src="http://www.youtube.com/embed/r79ozjCL7DA" frameborder="0" allowfullscreen></iframe></p>
Now that you've seen that, ask yourself, "could the software my organization is writing be hacked like that?" Rational AppScan is a great solution for black box testing your web sites. We've used it before, and recommend it to customers.
<p><iframe width="560" height="349" src="http://www.youtube.com/embed/nfKnsBQdNkM" frameborder="0" allowfullscreen></iframe></p>
<p>I think IBM was not eating their own dogfood (so to speak) before. Nice to see the Rational team smack the WebSphere team every now and again.</p>
Labels: JavaEE, WebSphere, XSS