Reported December 3, 2003, by Oliver Karow.

 

 

VERSIONS AFFECTED

 

  • IBM Tivoli Directory Server 4.1

 

DESCRIPTION

 

A cross-site scripting vulnerability exists in the IBM Tivoli Directory Server Web Admin GUI. By sending a URL such as https://server/ldap/cgi-bin/ldacgi.exe?Action=<script>alert("foo")</script>, an attacker can insert arbitrary HTML and JavaScript code into the IBM Tivoli Directory Server Admin Web page.

 

VENDOR RESPONSE

 

<span style="font-family:Verdana"><a href="http://www.ibm.com/" style="color: blue; text-decoration: underline; text-underline: single">IBM</a> has been notified.</h3>

 

CREDIT

 

Discovered by Oliver Karow.