• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • Security Vulnerability Reported in i5/OS

    February 5, 2008 Alex Woodie

    IBM on Saturday reported that it has discovered a security vulnerability in i5/OS V5R3 and V5R4 that could lead to cross-site scripting attacks. The flaw, which is in i5/OS’s HTTP Server, is deemed low risk by outside security experts, and has not been fixed yet.

    According to IBM’s Authorized Program Analysis Report, or APAR, the security vulnerability is caused by an input validation error in the HTTP Server. When the HTTP Server receives an unsupported “Expect” header field value, it sends back an error document that includes the Expect header field value.

    Instead of “HTML-escaping” the field header value so that it isn’t processed, the HTTP Server includes the header field value in its error document, according to the APAR. As a result, this error could be exploited by attackers to run arbitrary scripting code in the Web browser as part of a cross-site scripting attack.

    IBM indicated in the APAR that it will fix the problem, but it didn’t indicate a timeframe. The problem is therefore unresolved.

    The security Web site Secunia issued advisory SA28744 concerning the problem, which it rated as “less critical.” The French Security Incident Response Team, in its advisory, gave the vulnerability a “low risk” rating.



                         Post this story to del.icio.us
                   Post this story to Digg
        Post this story to Slashdot

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    DRV Technologies, Inc.

    Get More from Your IBM i

    Many users today struggle to get at the data they need on the IBM i. When users get reports, they look like they were formatted some time last century.

    Some organizations are still printing pre-printed forms and checks on impact printers.

    How often do operators log on to their system to look for messages they hope they don’t find?

    All of these scenarios can affect users’ perception of the IBM platform negatively, but there are simple solutions.

    DRV Technologies Inc. develops innovative solutions that help customers get more from their IBM i systems.

    Solutions include:

    • SpoolFlex spool conversion & distribution
    • FormFlex electronic forms
    • SecureChex MICR laser check printing
    • MessageFlex system monitoring

    FlexTools streamline resources, improve efficiency and enable pro-active system management.

    Better software, better service, DRV Tech.

    Learn how you can get more from your IBM i at www.drvtech.com

    Call 866 378-3366 for a Free Demonstration

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Sponsored Links

    Bytware:  Start the new year off with better security!
    COMMON:  Join us at the annual 2008 conference, March 30 - April 3, in Nashville, Tennessee
    Seagull Software:  Update your System i apps with LegaSuite GUI

    IT Jungle Store Top Book Picks

    Getting Started with PHP for i5/OS: List Price, $59.95
    The System i RPG & RPG IV Tutorial and Lab Exercises: List Price, $59.95
    The System i Pocket RPG & RPG IV Guide: List Price, $69.95
    The iSeries Pocket Database Guide: List Price, $59.00
    The iSeries Pocket Developers' Guide: List Price, $59.00
    The iSeries Pocket SQL Guide: List Price, $59.00
    The iSeries Pocket Query Guide: List Price, $49.00
    The iSeries Pocket WebFacing Primer: List Price, $39.00
    Migrating to WebSphere Express for iSeries: List Price, $49.00
    iSeries Express Web Implementer's Guide: List Price, $59.00
    Getting Started with WebSphere Development Studio for iSeries: List Price, $79.95
    Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
    Getting Started with WebSphere Express for iSeries: List Price, $49.00
    WebFacing Application Design and Development Guide: List Price, $55.00
    Can the AS/400 Survive IBM?: List Price, $49.00
    The All-Everything Machine: List Price, $29.95
    Chip Wars: List Price, $29.95

    i5/OS V6R1 and Its Java Enhancements Setting Up A PHP/Web Environment On System i: Where Do I Start?

    Leave a Reply Cancel reply

Volume 8, Number 5 -- February 5, 2008
THIS ISSUE SPONSORED BY:

Help/Systems
Vision Solutions
Cosyn
Bytware
COMMON

Table of Contents

  • New Web Console Debuts with i5/OS V6R1
  • RPG to .NET Reduces Maintenance Pain, Adds Rich User Interface
  • IBM Makes DB2 Web Query More Affordable
  • Bug Busters’ HA Offering Gets Role Swap Function
  • Security Vulnerability Reported in i5/OS
  • IBM Unveils Pricing and Packaging for DataMirror HA Software
  • V6R1 to Bring New OmniFind Text Search Server
  • ICS Updates FormSprint with GUI Design Tool
  • Disk Dangers Avoided with Robot/SPACE 3.0
  • LTO-5 On Course for 2009

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • Fortra Issues 20th State of IBM i Security Report
  • FNTS Launches Managed Services for Power Servers in IBM Cloud
  • Total LTO Shipped Capacity Up Slightly in 2022
  • Four Hundred Monitor, May 24
  • Update On Critical Security Vulnerability In PowerVM
  • Critical Security Vulnerability In PowerVM Hypervisor
  • IBM Power: Hosted On-Premises Or In The Cloud?
  • Guru: Watch Out For This Pitfall When Working With Integer Columns
  • As I See It: Bob-the-Bot
  • IBM i PTF Guide, Volume 25, Number 21

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2023 IT Jungle