SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#197318

IBM Net.Data db2www CGI interpreter fails to properly validate requested macro filenames

Overview

IBM Net.Data fails to properly validate user input passed to the db2www CGI interpreter, which could allow an attacker to mount a cross-site scripting attack against a vulnerable system.

I. Description

IBM Net.Data is a scripting language used to create web applications. Net.Data macros are supplied to a CGI interpreter (db2www) that generates HTML output. The db2www CGI interpreter fails to properly validate requested macro filenames before returning at least one type of error message (DTWP001E). It is possible to use a cross-site scripting technique to inject malicious script (JavaScript, VBScript, etc.) or HTML into the error message by using a specially crafted macro filename.

II. Impact

A remote attacker could access sensitive information related to the vulnerable web page (cookies, form values, URI data). The attacker could also attempt to mislead the user into providing sensitive information such as login credentials.

III. Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Disable Scripting

To help defend against cross-site scripting attacks from the client's perspective, disable scripting in your web browser and HTML-enabled email client. Instructions for disabling scripting can be found in the CERT/CC Malicious Web Scripts FAQ.

Systems Affected

VendorStatusDate NotifiedDate Updated
IBMVulnerable15-Mar-2004

References


http://www-3.ibm.com/software/data/net.data/
http://www.secunia.com/secunia_research/2004-1/
http://www.secunia.com/advisories/10709/
http://www-306.ibm.com/software/data/net.data/docs/pdf/db2mn.pdf
http://www.cert.org/archive/pdf/cross_site_scripting.pdf

Credit

Thanks to Secunia for the information contained in their security advisory.

This document was written by Damon Morda.

Other Information

Date Public:2004-01-26
Date First Published:2004-03-08
Date Last Updated:2004-03-19
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:1.58
Document Revision:22

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader