Uočen je sigurnosni nedostatak vezan uz IBM WebSphere Application Server koji udaljenom napadaču omogućuje izvođenje tzv. spoofing napada.

IBM WebSphere Application Server for z/OS "logoutExitPage" Redirection Weakness
Secunia Advisory 	SA45300 	
Release Date 	2011-07-20

Criticality level 	Not criticalNot critical
Impact 	Spoofing
Where 	From remote
Authentication level 	Available in Customer Area
  	 
Report reliability 	Available in Customer Area
Solution Status 	Vendor Patch
  	 
Systems affected 	Available in Customer Area
Approve distribution 	Available in Customer Area
  	 
Software:	
	IBM WebSphere Application Server 6.1.x
	IBM WebSphere Application Server 7.0.x

Secunia CVSS Score 	Available in Customer Area
CVE Reference(s) 	CVE-2011-1355 CVSS available in Customer Area
	   	

Description

A weakness has been reported in IBM WebSphere Application Server for z/OS, which can be exploited by malicious people to conduct spoofing attacks.

Input passed via the "logoutExitPage" parameter is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.

The weakness is reported in versions 6.1 and 7.0.

Solution
Apply APAR PM42436 or update to versions 6.1.0.39 or 7.0.0.19 (when available).

Provided and/or discovered by
Reported by the vendor.

Original Advisory
IBM(PM35701):
http://www-01.ibm.com/support/docview.wss?uid=swg1PM42436

ISS X-Force:
http://xforce.iss.net/xforce/xfdb/68570