If you are running WAS 7, be sure and check your fix packs today. We recommend you patch them to the latest of 7.0.0.17 or 7.0.0.15 at the latest. There is a cross-site scripting vulnerability you need to be aware of, as reported by Core Security Technologies
Core Security Technologies Advisory - The administrative console of IBM WebSphere Application Server is vulnerable to Cross-Site Request Forgery (CSRF) attacks, which can be exploited by remote attackers to force a logged-in administrator to perform unwanted actions on the IBM WebSphere administrative console, by enticing him to visit a malicious web page. Versions 7.0.0.11 and 7.0.0.13 are confirmed vulnerable.
Core Security Technologies, Francisco Falcon
The IBM fix list shows that WAS 7.0.0.15 corrects this issue (APAR PK77505)
http://www-01.ibm.com/support/docview.wss?uid=swg27014463&wv=1
If you are totally, blissfully oblivious to XSS attacks, you should watch this video.
<p>
<iframe width="560" height="349" src="http://www.youtube.com/embed/r79ozjCL7DA" frameborder="0" allowfullscreen></iframe></p>
<p>
Now that you've seen that, ask yourself, "could the software my organization is writing be hacked like that?" Rational AppScan is a great solution for black box testing your web sites. We've used it before, and recommend it to customers.
</p>
<p><iframe width="560" height="349" src="http://www.youtube.com/embed/nfKnsBQdNkM" frameborder="0" allowfullscreen></iframe></p>
<p>I think IBM was not eating their own dogfood (so to speak) before. Nice to see the Rational team smack the WebSphere team every now and again.</p>Labels: JavaEE, WebSphere, XSS