IBM InfoSphere DataStage 'LoggingViewAdmin.do' 多个HTML注入漏洞
发布日期:2013-02-14
更新日期:2013-02-19
受影响系统:IBM InfoSphere DataStage 8.x
描述:
BUGTRAQ ID:
57981
CVE(CAN) ID:
CVE-2013-0502
IBM InfoSphere DataStage 是 InfoSphere Information Server 信息集成平台的一个核心产品模块。它使您能够收集和集成各种来源中的数据,并将它们转换到数据仓库和其他应用程序中,以获取值得信赖且及时的信息。
InfoSphere DataStage 8.5及其他版本没有正确过滤多个参数向Information Server Web Console内LoggingViewAdmin.do传递的值,可导致插入任意HTML和脚本代码,然后在用户浏览器会话中执行。受影响参数如下:
http://[host]/LoggingViewAdmin.do?HiddenNameWISDService
http://[host]/LoggingViewAdmin.do?HiddenNameWISDOperation
http://[host]/LoggingViewAdmin.do?HiddenNameWISDApplication
http://[host]/LoggingViewAdmin.do?HiddenNameUser
http://[host]/LoggingViewAdmin.do?HiddenNamePackage
http://[host]/LoggingViewAdmin.do?HiddenNameISFRequestId
http://[host]/LoggingViewAdmin.do?HiddenNameDSWave
http://[host]/LoggingViewAdmin.do?HiddenNameDSTemplate
http://[host]/LoggingViewAdmin.do?HiddenNameDSSeverity
http://[host]/LoggingViewAdmin.do?HiddenNameDSSequence
http://[host]/LoggingViewAdmin.do?HiddenNameDSProject
http://[host]/LoggingViewAdmin.do?HiddenNameDSLoginName
http://[host]/LoggingViewAdmin.do?HiddenNameDSJob
http://[host]/LoggingViewAdmin.do?HiddenNameDSInvocation
http://[host]/LoggingViewAdmin.do?HiddenNameDSHostName
http://[host]/LoggingViewAdmin.do?HiddenNameDSArguments
http://[host]/LoggingViewAdmin.do?HiddenNameArchive
<*来源:vendor
链接:
http://secunia.com/advisories/52187/
http://www-01.ibm.com/support/docview.wss?uid=swg1JR45274
http://www.osvdb.org/show/osvdb/90288
*>
建议:
厂商补丁:
IBM
---
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www-142.ibm.com/software/products/cn/zh/ibminfodata浏览次数:4153
严重程度:0(网友投票)
