CVE-2011-2172

Vulnerability

The search center in IBM WebSphere Portal 7.0.0.1 before CF004 (Cumulative Fix 004) contains a cross-site scripting (XSS) vulnerability. An attacker can inject arbitrary web script or HTML by modifying a hidden form field in the search center portlet. Specifically, the value attribute of a hidden ` with name="scope"` is not sanitized, allowing injection of JavaScript [2].

Exploitation

The attacker does not require authentication to exploit this vulnerability. Using a browser's developer tools (e.g., Firebug in Firefox or the F12 tools in Internet Explorer 8), the attacker edits the hidden input's value to include a malicious payload, such as com.ibm.lotus.search.ALL_SOURCES"+alert('XSS')+". When the form is submitted, the injected script executes in the context of the victim's session [2]. This is a client-side manipulation that requires the victim to interact with the crafted form or link.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the security context of the WebSphere Portal application. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The vulnerability is classified as cross-site scripting (XSS) and can compromise the confidentiality and integrity of user data [2].

Mitigation

IBM released Cumulative Fix 004 (CF004) for WebSphere Portal 7.0.0.1, which includes a code fix for this issue. The fix is available from IBM Fix Central as APAR PM37009 [1] or directly via APAR PM36644 [2]. Administrators should apply CF004 to the affected WebSphere Portal 7.0.0.1 installations. No workaround is documented in the references for versions prior to the fix.