Info

Disclosure

Jan 26, 2004

Discovery

Nov 04, 2003

Dates

Exploit

Jan 26, 2004

Solution

Unknown

Description

IBM Net.Data contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate Macro names upon submission to the "DTWP001E" error message. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Workaround
Exploit: Exploit Public
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Currently, there are no known upgrades or patches to correct this vulnerability. It is possible to temporarily work around the flaw by implementing the following workaround to ensure a specific error message is returned to users: Edit the Net.Data configuration file (db2www.ini) by adding a "DTW_DEFAULT_ERROR_MESSAGE" entry (or "DTW_DEFAULT_MACRO" on zOS/iServer) that specifies a fixed error message.

Products

International Business Machines Corporation	Net.Data	7
		7.2

References

Secunia Advisory ID: 10709
ISS X-Force ID: 14925
CVE ID: 2004-1442 (see also: NVD)
Bugtraq ID: 9488
Vendor URL: http://www-3.ibm.com/software/data/net.data/
Other Advisory URL: http://www.secunia.com/secunia_research/2004-1/advisory/

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/3712

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

International Business Machines Corporation

Net.Data

References

Credit