-----------------------------------------------------------
+ IBM WEBSPHERE 6 Sample scripts Cross site scripting +
-----------------------------------------------------------

Release Date:
12/12/2005

Severity:
low

Product:
http://www-306.ibm.com/software/info/ecatalog/en_GB/products/U105789N42720B65.html?&S_TACT=none&S_CMP=none

Description:
WebSphere Application Server, V6.0 can increase your return on investment on existing IT assets while providing
the foundation for the IBM Software Group Portfolio. WebSphere Application Server, V6.0 is Java� 2 Enterprise
Edition (J2EE) 1.4-compatible and enables an on-demand infrastructure with the following key features: 
-Full J2EE support across all offerings 
-Mixed application server support (V5, V5.1, and V6) for more flexible migration to newest versions of 
-WebSphere Application Server 
-Support for unified administration of a mixed WebSphere Application Server environment (V5.0, V5.1, and V6.0)
for a more flexible migration to WebSphere Application Server V6.0 
-WebSphere Rapid Deployment for reducing the complexity of developing and deploying J2EE applications 
-Additional Web services standards above J2EE 1.4 for the sound foundation for the Services Oriented Architecture
(SOA) 
-Broad platform support, allowing increased integration of existing resources and deployment platform choices 

Details:
Some Cross site scripting attacks have been identified in the Samples that Websphere server installs by default.This
can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

(1) The first Css takes place in the /PlantSByWebSpere/ sample in the login script.
http://[host]:9080/PlantsByWebSphere/login.jsp
Input passed in the "E-mail address" field isn't properly sanitised before being returned to the user.
Login.jsp can also be used to enumerate valid accounts because login.jsp returns different error messages 
depending on whether a username is valid or invalid.

(2) The second Css exists in the /TechnologySample/BulletinBoard Script (it is installed be default).
Input passed in the "message" field is not properly sanitized before being returned to the user. This can be
exploited to execute arbitary HTML and script code in a user's browser session on context of an affected site.
http://[host]:9080/TechnologySamples/BulletinBoard/index.html

(3) The third Css vulnerability was identified in the /TechnologySamples/Subscription/ sample script.
Input passed in the "Email address" field is not properly sanitized before being returned to the user. This can beexploited to 
execute arbitary HTML and script code in a user's browser session on context of an affected site.
http://localhost:9080/TechnologySamples/Subscription/SubscriptionJSP.jsp
* Enter input: <script-code>@wasted.gr

(4) Another Css exists in the /TechnologySamples/MovieReview2_1/. Input passed in the "Movie Name" , "Move Reviewer"
and "Movie Review" field is not properly sanitized before being returned to the user.This can beexploited to 
execute arbitary HTML and script code in a user's browser session on context of an affected site.
http://localhost:9080/TechnologySamples/MovieReview2_1/
*Use the Add button first and then use the find button for this attack to take place.


Workaround:
(1)Remove the specified scripts
(2)Edit the source code to ensure that input is properly sanitised.

credit:
dr_insane