Cross Site Scripting Vulnerability in IBM Tivoli Directory Server 4.1

Reported December 3, 2003, by Oliver Karow.

 

 

VERSIONS AFFECTED

 

  • IBM Tivoli Directory Server 4.1

 

DESCRIPTION

 

A cross-site scripting vulnerability exists in the IBM Tivoli Directory Server Web Admin GUI. By sending a URL such as https://server/ldap/cgi-bin/ldacgi.exe?Action=<script>alert("foo")</script>, an attacker can insert arbitrary HTML and JavaScript code into the IBM Tivoli Directory Server Admin Web page.

 

VENDOR RESPONSE

 

IBM has been notified.

 

CREDIT

 

Discovered by Oliver Karow.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish