Security Vulnerability Reported in i5/OS

February 5, 2008 Alex Woodie

IBM on Saturday reported that it has discovered a security vulnerability in i5/OS V5R3 and V5R4 that could lead to cross-site scripting attacks. The flaw, which is in i5/OS’s HTTP Server, is deemed low risk by outside security experts, and has not been fixed yet.

According to IBM’s Authorized Program Analysis Report, or APAR, the security vulnerability is caused by an input validation error in the HTTP Server. When the HTTP Server receives an unsupported “Expect” header field value, it sends back an error document that includes the Expect header field value.

Instead of “HTML-escaping” the field header value so that it isn’t processed, the HTTP Server includes the header field value in its error document, according to the APAR. As a result, this error could be exploited by attackers to run arbitrary scripting code in the Web browser as part of a cross-site scripting attack.

IBM indicated in the APAR that it will fix the problem, but it didn’t indicate a timeframe. The problem is therefore unresolved.

The security Web site Secunia issued advisory SA28744 concerning the problem, which it rated as “less critical.” The French Security Incident Response Team, in its advisory, gave the vulnerability a “low risk” rating.

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Tags:

Sponsored By
COMMON

Save the date for COMMON's 2008 Annual Meeting and Exposition,
March 30 - April 3, 2008 in Nashville, Tennessee, at the Gaylord Opryland Resort.

This premier System i education and networking event is COMMON's largest event of the year, offering five full days of System i education and evening socials.

The conference will feature well over 500 educational sessions, hands-on labs, and all-day workshops covering a wide variety of topics in solutions development, infrastructure management, and business/ professional development. There will be sessions on hot topics like PHP, DB2 Web Query, IP Telephony, Domino 8 and IBM's next new release: i5/OS V6R1. There will also be sessions aimed at IT Strategy, IT Leadership and personal development, to accommodate your less technical roles at work. All classes are delivered by the most respected and knowledgeable presenters in the industry.

In addition to the leading edge education, the Annual Meeting and Exposition provides an invaluable networking forum for attendees to interact with their System i community. After a full day of education, the evening iSocial events provide attendees the opportunity to relax, have some fun, and exchange knowledge and real-world experiences with fellow attendees, speakers, solution providers and IBM. iSociety Face-to-Face Sessions offer attendees the ability to hold "face-to-face" discussions on any special interest topic - technical or otherwise. The contacts you make at the conference will be as valuable as the education you receive.

You will also have access to the world's largest System i-related Exposition, which encompasses more that 80 of the leading industry exhibitors, including a large IBM presence. The COMMON Exposition provides a one-stop source of up-to-the-minute information and products for the IT industry. Discover what's new in the System i world, and learn how you and your company can reduce costs and improve productivity by leveraging the products and services featured at the COMMON Exposition. You can compare and contrast your alternatives, and discover which solution best suits your needs.

Finally, the Annual Meeting and Exposition is the place for you to hear from the Board of Directors about COMMON, and is your chance to communicate with them in person. Bring your questions, comments and feedback to the meeting of the members at the Annual Meeting and Exposition.

COMMON's 2008 Annual Meeting and Exposition will offer:
· Over 500 sessions and hands-on labs in a range of choices every hour
· i5/OS V6R1 sessions
· Customer experience sessions and new speakers
· In-depth education through all-day pre-conference workshops, all-day Integrated Seminars,
   open labs
· Emphasis on networking that provides great opportunities to network with your peers,
   IBM developers, executives, and industry experts
· iSocial events for fun and relaxation
· An extensive Exposition of new companies showcasing the latest System i-related
   industry solutions

The COMMON 2008 Annual Meeting and Exposition is a
System i educational and networking event that
you and/or your team won't want to miss.
To learn more about the conference visit
www.common.org

User Storage Limits and Application Processing Setting Up A PHP/Web Environment On System i: Where Do I Start?

Table of Contents

Recent Posts

Subscribe

Pages

Search