IBM WebSphere Application Server SOAP Connector Error Page XSS

This script is Copyright (C) 2006-2013 Tenable Network Security, Inc.


Synopsis :

The remote SOAP server is vulnerable to a cross-site scripting
attack.

Description :

The remote SOAP server fails to sanitize user input via the URI
before using it to generate dynamic XML content in an error page. An
unauthenticated, remote attacker may be able to leverage this issue to
inject arbitrary XML into a user's browser.

See also :

http://www.securityfocus.com/archive/1/450704/30/0/threaded
http://www-1.ibm.com/support/search.wss?rs=0&q=PK16602&apar=only

Solution :

Apply version 5.0.2 Cumulative Fix 17 / 5.1.1 Cumulative Fix 12 /
6.0.2 Fix Pack 9, depending on the installed version of IBM WebSphere
Application Server.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.2
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: CGI abuses : XSS

Nessus Plugin ID: 23649 ()

Bugtraq ID: 17919

CVE ID: CVE-2006-2431