| Ãë¾àÁ¡ID |
210082 |
| À§Çèµµ |
30 |
| Æ÷Æ® |
9080, ... |
| ÇÁ·ÎÅäÄÝ |
TCP |
| ºÐ·ù |
CGI |
| »ó¼¼¼³¸í |
ÇØ´ç IBM WebSphere Application ¼¹ö´Â 'navigateTree.do' ½ºÅ©¸³Æ®¿¡ ÀÖ´Â ´ÙÁßÀÇ Cross-Site Scripting Ãë¾àÁ¡µé¿¡ Ãë¾àÇÏ´Ù. IBM WebSphere Application Server 6.0.x¿Í 6.1.x ¹öÀüµéÀº 'uddigui/navigateTree.do' ½ºÅ©¸³Æ®ÀÇ 'keyField', 'nameField', 'valueField', ±×¸®°í 'frameReturn' Àμöµé·Î Àü´ÞµÈ »ç¿ëÀÚ°¡ Á¦°øÇÑ ÀԷ¿¡ ´ëÇÑ ºÎÀûÀýÇÑ °ËÁõÀ¸·Î ÀÎÇÏ¿©, ´Ù¾çÇÑ Cross-Site Scripting ¹× Cross-Site Request Forgery Ãë¾àÁ¡µé¿¡ Ãë¾àÇÏ´Ù. ÀÌ Ãë¾àÁ¡µéÀº ¿ø°ÝÁöÀÇ °ø°ÝÀÚ°¡ ¾ÇÀÇÀûÀÎ HTML°ú ½ºÅ©¸³Æ® Äڵ带 Æ÷ÇÔÇÏ´Â Ãë¾àÇÑ ¾îÇø®ÄÉÀ̼ÇÀ¸·ÎÀÇ ¾ÇÀÇÀûÀÎ ¸µÅ©(link)¸¦ ¸¸µé°Ô ÇØ ÁÙ ¼ö ÀÖ´Ù. ¸¸¾à ÀÌ ¸µÅ©¸¦ µû¶ó°¡°Ô µÈ´Ù¸é ¾ÇÀÇÀûÀÎ Äڵ尡 Èñ»ýÀÚÀÇ À¥ ºê¶ó¿ìÀú¿¡¼ ½ÇÇàµÉ ¼ö ÀÖ´Ù. ÀÌ°ÍÀº ¿µÇâÀ» ¹Þ´Â À¥ »çÀÌÆ®ÀÇ º¸¾È ±ÇÇÑÀ» °¡Áö°í ÇàÇØÁö¸ç ÄíÅ° ±â¹ÝÀÇ ÀÎÁõ ½Å¿ëÁ¤º¸¸¦ »©³»°Å³ª ´Ù¸¥ °ø°ÝµéÀÇ ¼öÇàÀ» Çã¿ëÇÒ ¼ö ÀÖ´Ù.
* Âü°í »çÀÌÆ®:
http://www-1.ibm.com/support/docview.wss?uid=swg1PK50245
http://securitytracker.com/alerts/2007/Oct/1018884.html
http://secunia.com/advisories/27448
* ¿µÇâÀ» ¹Þ´Â Ç÷§Æû:
IBM WebSphere Application Server 6.0.x ¹öÀüµé
IBM WebSphere Application Server 6.1.x ¹öÀüµé
¸ðµç ¿î¿µÃ¼Á¦ ¸ðµç ¹öÀü |
| ÇØ°áÃ¥ |
´ÙÀ½ IBM APAR PK50245¸¦ ÂüÁ¶ÇÏ¿© IBM WebSphere Application Server 6.1.0 fix pack 13 (6.1.0.13) ȤÀº ÀÌÈÄ ¹öÀüÀ¸·Î ¾÷±×·¹À̵å ÇÏ¿©¾ß ÇÑ´Ù:
IBM WebSphere Application Server 6.0.x ¹öÀüµé
http://www-1.ibm.com/support/docview.wss?uid=swg1PK50245
IBM WebSphere Application Server 6.1.x ¹öÀüµé
http://www-01.ibm.com/support/docview.wss?uid=swg24017311 |
| °ü·Ã URL |
CVE-2007-5798,CVE-2007-5799 (CVE) |
| °ü·Ã URL |
26276 (SecurityFocus) |
| °ü·Ã URL |
38177,38179 (ISS) |
|
