If you are running WAS 7, be sure and check your fix packs today. We recommend you patch them to the latest of 18.104.22.168 or 22.214.171.124 at the latest. There is a cross-site scripting vulnerability you need to be aware of, as reported by Core Security Technologies
Core Security Technologies Advisory - The administrative console of IBM WebSphere Application Server is vulnerable to Cross-Site Request Forgery (CSRF) attacks, which can be exploited by remote attackers to force a logged-in administrator to perform unwanted actions on the IBM WebSphere administrative console, by enticing him to visit a malicious web page. Versions 126.96.36.199 and 188.8.131.52 are confirmed vulnerable.Core Security Technologies, Francisco Falcon
The IBM fix list shows that WAS 184.108.40.206 corrects this issue (APAR PK77505)
If you are totally, blissfully oblivious to XSS attacks, you should watch this video.
<iframe width="560" height="349" src="http://www.youtube.com/embed/r79ozjCL7DA" frameborder="0" allowfullscreen></iframe></p>
Now that you've seen that, ask yourself, "could the software my organization is writing be hacked like that?" Rational AppScan is a great solution for black box testing your web sites. We've used it before, and recommend it to customers.
<p><iframe width="560" height="349" src="http://www.youtube.com/embed/nfKnsBQdNkM" frameborder="0" allowfullscreen></iframe></p>
<p>I think IBM was not eating their own dogfood (so to speak) before. Nice to see the Rational team smack the WebSphere team every now and again.</p>
Labels: JavaEE, WebSphere, XSS