=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2006/VULN565
_____________________________________________________________________

DATE                      : 19/12/2006

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running IBM WebSphere.

======================================================================
http://www-1.ibm.com/support/docview.wss?rs=132&context=SS5RCF&dc=D600&uid=swg21251808&loc=en_US&cs=UTF-8&lang=en

----------------------------------------------------------------------

WebSphere Host On-Demand changes required for a reported security vulnerability
in the Administration Utility

Document information
Product categories:
  	Software
  	Networking
  	Host Access
  	WebSphere Host On-Demand
  	General
  Operating system(s):
   	AIX, HP-UX, Linux, NetWare, OS/2, OS/390, OS/400, Solaris, Windows, z/OS
  Software version:
   	7.0, 8.0, 9.0, 10.0
  Software edition:
   	All Editions
  Reference #:
  	1251808
  IBM Group:
  	Software Group
  Modified date:
  	2006-12-14


Abstract
Host On-Demand requires an upgrade to resolve an administration security
vulnerability.

Content
A security vulnerability has been identified with the Host On-Demand
Administration Utility.

The permanent fix will be available in Fix Packs 8.0.7a, 9.0.6a and
Manufacturing Refresh 10.0.1.

Until these builds are available, IBM is providing a circumvention to address
this vulnerability.

The attached file, frameset.html, will circumvent the exposure in Host On-Demand
versions 7, 8, 9, and 10.

     * Replace the original frameset.html in the Host On-Demand publish
directory (.../hostondemand/HOD) with the file provided in this technote.

       No restart of the HOD server is required for this change to take effect.

http://www-1.ibm.com/support/docview.wss?uid=swg21251808&aid=1

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================