Security Vulnerability Reported in i5/OS
February 5, 2008 Alex Woodie
IBM on Saturday reported that it has discovered a security vulnerability in i5/OS V5R3 and V5R4 that could lead to cross-site scripting attacks. The flaw, which is in i5/OS’s HTTP Server, is deemed low risk by outside security experts, and has not been fixed yet.
According to IBM’s Authorized Program Analysis Report, or APAR, the security vulnerability is caused by an input validation error in the HTTP Server. When the HTTP Server receives an unsupported “Expect” header field value, it sends back an error document that includes the Expect header field value.
Instead of “HTML-escaping” the field header value so that it isn’t processed, the HTTP Server includes the header field value in its error document, according to the APAR. As a result, this error could be exploited by attackers to run arbitrary scripting code in the Web browser as part of a cross-site scripting attack.
IBM indicated in the APAR that it will fix the problem, but it didn’t indicate a timeframe. The problem is therefore unresolved.
The security Web site Secunia issued advisory SA28744 concerning the problem, which it rated as “less critical.” The French Security Incident Response Team, in its advisory, gave the vulnerability a “low risk” rating.