SEC Consult Vulnerability Lab Security Advisory < 20130523-0 >
product: IBM WebSphere DataPower Integration Appliance XI50
vulnerable version: 3.8.2, 4.0, 4.0.1, 4.0.2, 5.0.0
fixed version: not available, config changes
CVE number: CVE-2013-0499
by: A. Falkenberg
SEC Consult Vulnerability Lab
WebSphere® DataPower® appliances simplify, govern, and optimize the delivery
of services and applications and enhance the security of XML and IT services.
They extend the capabilities of an infrastructure by providing a multitude of
For the purposes of debugging, DataPower provides configuration options to
echo requests received from the client. For example, XML Firewall service can
be configured to echo requests by choosing the backend as 'loopback'. Other
services like Multi Protocol Gateway and Web Service Proxy can be configured
to echo requests by setting the variable “var://service/mpgw/skip-backside” in
its processing policy.
In such configurations, the requests are not sent to a backend server. Without
adequate validation and processing, the requests may be echoed back to the
client. Loopback services that blindly echo requests should only be used for
debugging purposes and not intended to be run in production environments as
they can result in potential security threats. For example, if an arbitrary
Proof of concept:
The proof of concept was tested on an IBM Xi50 with the backend configured as
a "loopback" Web Service. The "loopback" Web Service can be used to execute
arbitrary JavaSscript code in a victims browser. Any valid SOAP message sent
to the Web service is returned unmodified to the receiver. If the SOAP
that is contained within the XML document will get executed.
The following PHP script demonstrates a reflected cross site scripting.