THE CENZIC BLOG
Subscribe to the "Cenzic Detects an IBM WAS Security Restrictions Vulnerability" web feed.Subscription options
Read more articles in  Cenzic SmartAttack Updates for Web Vulnerabilities
.
October 02, 2009

Cenzic Detects an IBM WAS Security Restrictions Vulnerability

Weekly product update – Cenzic detects an IBM WAS Security Restrictions Vulnerability

As of October 2, 2009 Cenzic now detects an IBM WebSphere Application Server doGet/doTrace Method Flaw Lets Remote Users Bypass Security Restrictions Vulnerability (SecurityTracker Alert ID: 1022862).  The IBM WebSphere Application Server (WAS) doesn’t properly handle security controls on the doGet and doTrace methods.  A remote user can send a specially crafted HTTP HEAD request to a target application that only specifies protection constraints for GET and POST requests to bypass security restrictions.

Background on Cenzic’s SmartAttacks
Every week, Cenzic’s suite of products is updated with the latest vulnerabilities (custom, commercial, and open-source) to better detect "holes" in Web applications.  These Web application vulnerabilities include (but not limited to) cross site scripting, buffer overflow, path or directory traversal, SQL injection, HTTP response splitting, and other workflow types.

by
Erin Swanson
Eswanson@cenzic.com

.
PermalinkIBM WebSphere Application Server doGet/doTrace Method Flaw Lets Remote Users Bypass Security Restrictions Vulnerability
.Learn more about this vulnerability on SecurityTracker
.http://securitytracker.com/alerts/2009/Sep/1022862.html
Topic Tags:  ,
by Erin Swanson | ↑top | link to this#
Syndication OptionsRSS (Rich Site Summary) Feed Atom Feed OPML (Outline Processor Language) Feed MYST-ML (MyST Markup Language) Content Feed MS-Office Smart Tag Subscription