[原文]Cross-site scripting (XSS) vulnerability in db2www CGI interpreter in IBM Net.Data 7 and 7.2 allows remote attackers to inject arbitrary web script or HTML via a macro filename, which is not properly handled by error messages such as "DTWP001E."
IBM Net.Data is prone to cross-site scripting attacks via error message output. This may permit a remote attack to create a link to a system hosting the software that includes embedded HTML and script code. This hostile code may be rendered in the web browser of a user who follows the malicious link.
Exploitation could permit theft of cookie-based authentication credentials or other attacks.
IBM Net.Data contains a flaw that allows a remote cross site scripting attack.
This flaw exists because the application does not validate Macro names upon submission to the "DTWP001E" error message. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Currently, there are no known upgrades or patches to correct this vulnerability. It is possible to temporarily work around the flaw by implementing the following workaround to ensure a specific error message is returned to users: Edit the Net.Data configuration file (db2www.ini) by adding a "DTW_DEFAULT_ERROR_MESSAGE" entry (or "DTW_DEFAULT_MACRO" on zOS/iServer) that specifies a fixed error message.