fhs
Volume 8, Number 8 -- February 26, 2008

IBM Patches Security Flaw in Quickr for i5/OS

Published: February 26, 2008

by Alex Woodie

IBM has issued a patch for a cross-site scripting security vulnerability in Lotus Quickr for i5/OS, the computer security research and development company Secunia reported last week. The flaw was given a "less critical" rating. Meanwhile, another security flaw in i5/OS reported earlier this month has been partially patched by IBM.

According to a Secunia advisory published last week, a security vulnerability in Lotus Quickr for i5/OS version 8 can be exploited by hackers to conduct cross-site scripting attacks. The problem is the result of not properly validating certain input before it's returned to a user when anonymous access is disabled on HTTP ports, Secunia says. As a result, hackers can execute arbitrary HTML or inject malicious code or scripts into the Web pages viewed by others.

The vulnerability is reported in Lotus Quickr for i5/OS versions prior to 8.0.0.2 Hotfix 11 on Domino version 7.0.2, according to Secunia. The problem is resolved with the application of Hotfix 11 for Lotus Quickr for i5/OS.

The discovery of the cross-site scripting flaw in Lotus Quickr for i5/OS led to the discovery of another cross-site scripting flaw in Lotus Quickr version 8 and Lotus QuickPlace version 7, according to Secunia. The security firm says an Avnet researcher found a problem with the way the products handle the "OpenDocument" command. The flaw was reported just yesterday, and is currently marked as not patched.

This is the second reported security flaw in i5/OS or an IBM i5/OS application this month. In early February, IBM reported a flaw in the HTTP Server in i5/OS V5R3 and V5R4 that could lead to cross-site scripting attacks. That flaw was patched for V5R3 by IBM a week and a half ago, according to Secunia, but not for V5R4.

Lotus Quickr is one of a new class of Web 2.0 applications to make their way to the System i platform. The product, which was launched last June to much IBM fanfare, is designed to allow business users to view, edit, share, and distribute their documents and ideas using Web 2.0-style interfaces, such as blogs, wikis, and RSS feeds, along with their Lotus or Microsoft e-mail.


RELATED STORIES

Security Vulnerability Reported in i5/OS

Lotus Quickr Now Available from IBM


                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Sponsored By
AURA EQUIPMENTS

Excel For System i Users

It has never been so easy to use all Excel Functionalities on System i.

               Thanks to Launcher 400 Excel, modernise your IT infrastructure and
               maximise company's workflow:

                                                        · Friendly Set up
                                                        · Save time
                                                        · Fully Integrated

>> For System i owners and software developers
>>Starting at $599

For more information:
www.easycom-aura.com
Editor: Alex Woodie
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

COMMON:  Join us at the annual 2008 conference, March 30 - April 3, in Nashville, Tennessee
Northeast User Groups:  18th Annual Conference, April 14-16, 2008, Sheraton Hotel, Framingham, MA
Vision Solutions:  Disaster Recovery and Compliance – Get the Free e-Book!
 

IT Jungle Store Top Book Picks

Getting Started with PHP for i5/OS: List Price, $59.95
The System i RPG & RPG IV Tutorial and Lab Exercises: List Price, $59.95
The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket Developers' Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
iSeries Express Web Implementer's Guide: List Price, $59.00
Getting Started with WebSphere Development Studio for iSeries: List Price, $79.95
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
WebFacing Application Design and Development Guide: List Price, $55.00
Can the AS/400 Survive IBM?: List Price, $49.00
The All-Everything Machine: List Price, $29.95
Chip Wars: List Price, $29.95
 
The Four Hundred
Welcome to Legacy Status, Windows Server

i5/OS V6R1 Compiler and Tool Pricing Versus V5R4

Gartner Gives Annual Report Cards to Server Makers

As I See It: Change in Plan

IDC Tweaks Global IT Spending Estimates Downward for 2008

The Linux Beacon
SGI Buys Linux Networx Assets with Stock Issue

HP Puts Out a Four-Socket Itanium Blade Server

IT Salary Increases Are Anemic in 2007, Says Dice Survey

Mad Dog 21/21: Recovering Lost Prophets

Citrix Puts the Xen Brand Everywhere, Previews XenServer 4.1

Big Iron
IT Salary Increases Are Anemic in 2007, Says Dice Survey

Top Mainframe Stories From Around the Web

Chats, Webinars, Seminars, Shows, and Other Happenings

Four Hundred Guru
Getting MySQL Working With PHP

LPEX Edit in Hex Mode

Configuring Messaging Software for Overnight Monitoring

System i PTF Guide
February 16, 2008: Volume 10, Number 7

February 9, 2008: Volume 10, Number 6

February 2, 2008: Volume 10, Number 5

January 26, 2008: Volume 10, Number 4

January 19, 2008: Volume 10, Number 3

January 12, 2008: Volume 10, Number 2

The Windows Observer
Proxy Battle Looms in Microsoft's Bid for Yahoo

HP Firing on All Cylinders in the Fiscal First Quarter

Surf's Up for Web-Based Organized Crime, IBM X-Force Says

As I See It: Why IT Will Save the Economy

February SQL Server 2008 CTP Released by Microsoft

The Unix Guardian
HP Firing on All Cylinders in the Fiscal First Quarter

SCO Brought Back from the Dead by Middle East Money

Surf's Up for Web-Based Organized Crime, IBM X-Force Says

Mad Dog 21/21: Recovering Lost Prophets

IT Salary Increases Are Anemic in 2007, Says Dice Survey

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar

THIS ISSUE SPONSORED BY:

New Generation Software
Aldon
Seagull Software
Aura Equipments
RJS Software Systems


Printer Friendly Version


TABLE OF CONTENTS
i5/OS V6R1 Compatibility an Issue for Software Vendors

JDA Focuses on 'Slow and Erratic' Product Forecasting with E3

Help/Systems Gives SEQUEL a Web Makeover

IBM Patches Security Flaw in Quickr for i5/OS

BOSaNOVA Adds Encryption to Thin Clients

News Briefs and Product Shorts:
Symtrax Seals Deal with Attractive Pricing . . . iWay Adds File Transfer to SOA Suite . . . Magic to Help ISVs Move to SaaS . . . Informatica Launches Data Migration Suite . . . HiT Takes IT Solutions to South America . . .

Four Hundred Stuff

BACK ISSUES





 
Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement