fhs
Volume 8, Number 5 -- February 5, 2008

Security Vulnerability Reported in i5/OS

Published: February 5, 2008

by Alex Woodie

IBM on Saturday reported that it has discovered a security vulnerability in i5/OS V5R3 and V5R4 that could lead to cross-site scripting attacks. The flaw, which is in i5/OS's HTTP Server, is deemed low risk by outside security experts, and has not been fixed yet.

According to IBM's Authorized Program Analysis Report, or APAR, the security vulnerability is caused by an input validation error in the HTTP Server. When the HTTP Server receives an unsupported "Expect" header field value, it sends back an error document that includes the Expect header field value.

Instead of "HTML-escaping" the field header value so that it isn't processed, the HTTP Server includes the header field value in its error document, according to the APAR. As a result, this error could be exploited by attackers to run arbitrary scripting code in the Web browser as part of a cross-site scripting attack.

IBM indicated in the APAR that it will fix the problem, but it didn't indicate a timeframe. The problem is therefore unresolved.

The security Web site Secunia issued advisory SA28744 concerning the problem, which it rated as "less critical." The French Security Incident Response Team, in its advisory, gave the vulnerability a "low risk" rating.



                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Sponsored By
COMMON

Save the date for COMMON's 2008 Annual Meeting and Exposition,
March 30 - April 3, 2008 in Nashville, Tennessee, at the Gaylord Opryland Resort.

This premier System i education and networking event is COMMON's largest event of the year, offering five full days of System i education and evening socials.

The conference will feature well over 500 educational sessions, hands-on labs, and all-day workshops covering a wide variety of topics in solutions development, infrastructure management, and business/ professional development. There will be sessions on hot topics like PHP, DB2 Web Query, IP Telephony, Domino 8 and IBM's next new release: i5/OS V6R1. There will also be sessions aimed at IT Strategy, IT Leadership and personal development, to accommodate your less technical roles at work. All classes are delivered by the most respected and knowledgeable presenters in the industry.

In addition to the leading edge education, the Annual Meeting and Exposition provides an invaluable networking forum for attendees to interact with their System i community. After a full day of education, the evening iSocial events provide attendees the opportunity to relax, have some fun, and exchange knowledge and real-world experiences with fellow attendees, speakers, solution providers and IBM. iSociety Face-to-Face Sessions offer attendees the ability to hold "face-to-face" discussions on any special interest topic - technical or otherwise. The contacts you make at the conference will be as valuable as the education you receive.

You will also have access to the world's largest System i-related Exposition, which encompasses more that 80 of the leading industry exhibitors, including a large IBM presence. The COMMON Exposition provides a one-stop source of up-to-the-minute information and products for the IT industry. Discover what's new in the System i world, and learn how you and your company can reduce costs and improve productivity by leveraging the products and services featured at the COMMON Exposition. You can compare and contrast your alternatives, and discover which solution best suits your needs.

Finally, the Annual Meeting and Exposition is the place for you to hear from the Board of Directors about COMMON, and is your chance to communicate with them in person. Bring your questions, comments and feedback to the meeting of the members at the Annual Meeting and Exposition.

COMMON's 2008 Annual Meeting and Exposition will offer:
· Over 500 sessions and hands-on labs in a range of choices every hour
· i5/OS V6R1 sessions
· Customer experience sessions and new speakers
· In-depth education through all-day pre-conference workshops, all-day Integrated Seminars,
   open labs
· Emphasis on networking that provides great opportunities to network with your peers,
   IBM developers, executives, and industry experts
· iSocial events for fun and relaxation
· An extensive Exposition of new companies showcasing the latest System i-related
   industry solutions

The COMMON 2008 Annual Meeting and Exposition is a
System i educational and networking event that
you and/or your team won't want to miss.
To learn more about the conference visit
www.common.org
Editor: Alex Woodie
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

Bytware:  Start the new year off with better security!
COMMON:  Join us at the annual 2008 conference, March 30 - April 3, in Nashville, Tennessee
Seagull Software:  Update your System i apps with LegaSuite GUI
 

IT Jungle Store Top Book Picks

Getting Started with PHP for i5/OS: List Price, $59.95
The System i RPG & RPG IV Tutorial and Lab Exercises: List Price, $59.95
The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket Developers' Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
iSeries Express Web Implementer's Guide: List Price, $59.00
Getting Started with WebSphere Development Studio for iSeries: List Price, $79.95
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
WebFacing Application Design and Development Guide: List Price, $55.00
Can the AS/400 Survive IBM?: List Price, $49.00
The All-Everything Machine: List Price, $29.95
Chip Wars: List Price, $29.95
 
The Four Hundred
Entry System p Servers Get Power6 Chips, System i Boxes Await

The Power6 Server Ramp: Better Than Expected

IBM Takes System i Disk Clustering Up a Notch with HASM

The X Factor: Survive, Adapt, Repeat

i5/OS V5R3 Support Ends in April 2009

The Linux Beacon
openSUSE Build Service Pumps Out Red Hat, CentOS Packages

IBM to Buy AMD? Seems Unlikely, But an Interesting Idea

Lenovo Licenses X64 Server Designs from IBM to Build Boxes

As I See It: Avatar Nation

SOA Remains Hard to Define, but Projects on the Rise

Big Iron
Motherboarding

Top Mainframe Stories From Around the Web

Chats, Webinars, Seminars, Shows, and Other Happenings

Four Hundred Guru
Saving and Restoring External SQL Routine Definitions

Create Multiple Directory Levels in One Swell Foop

User Storage Limits and Application Processing

System i PTF Guide
January 26, 2008: Volume 10, Number 4

January 19, 2008: Volume 10, Number 3

January 12, 2008: Volume 10, Number 2

January 5, 2008: Volume 10, Number 1

December 29, 2007: Volume 9, Number 52

December 22, 2007: Volume 9, Number 51

The Windows Observer
Record Revenue Reported by Microsoft

Microsoft Quietly Ships Dynamics CRM 4.0

IBM to Buy AMD? Seems Unlikely, But an Interesting Idea

SQL Server 2008 Delayed--Is Windows Server 2008 Next?

Performance Expert Says AMD Beats Intel on Quad-Core Server Efficiency

The Unix Guardian
IBM Gets Power6 Chips into Entry System p Servers

IBM Creates Entry PowerVM Hypervisor, Gives Rebates on Unix Gear

Sun Makes an Honest Profit in Fiscal Q2 on Weak Growth

As I See It: Avatar Nation

IBM to Buy AMD? Seems Unlikely, But an Interesting Idea

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar

THIS ISSUE SPONSORED BY:

Help/Systems
Vision Solutions
Cosyn
Bytware
COMMON


Printer Friendly Version


TABLE OF CONTENTS
New Web Console Debuts with i5/OS V6R1

RPG to .NET Reduces Maintenance Pain, Adds Rich User Interface

IBM Makes DB2 Web Query More Affordable

Bug Busters' HA Offering Gets Role Swap Function

Security Vulnerability Reported in i5/OS

News Briefs and Product Shorts:
IBM Unveils Pricing and Packaging for DataMirror HA Software . . . V6R1 to Bring New OmniFind Text Search Server . . . ICS Updates FormSprint with GUI Design Tool . . . Disk Dangers Avoided with Robot/SPACE 3.0 . . . LTO-5 On Course for 2009 . . .

Four Hundred Stuff

BACK ISSUES





 
Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement