IBM Support

IZ54747: SSUI SHOULD NOT PERFORM INPUT VALIDATION

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • ***************************************
    Title:  SSUI should not perform input validation
    
    Description:  There is a vulnerability issue in
    the self console, as it does input validation.
    User is changing profile in self console, updating
    the last name to <script>alert("bbbbb")</script>
    
    The value of the new LAST name is returned as parts of the
    reply.
    The browser receive the <script>alert("bbbbb")</script>  and
    executes it.
    
    Steps to Duplicate: log in self console, change profile, use
    above script for last name.
    
    Desired Behavior: to turn off input validation
    Environment: 5.0.0.5 ITIM
    **************************************
    

Local fix

  • n/a
    

Problem summary

  • users affected:
    Customers using the ITIM Self Service UI.
    

Problem conclusion

  • This fix for this APAR is contained in the
    following maintenance packages:
    | Interim Fix | 5.0.0.6-TIV-TIM-IF0031
    

Temporary fix

Comments

APAR Information

  • APAR number

    IZ54747

  • Reported component name

    IBM TIV IDENT M

  • Reported component ID

    5724C3404

  • Reported release

    500

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2009-07-08

  • Closed date

    2009-08-26

  • Last modified date

    2010-02-17

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    IZ70618

Modules/Macros

  • SERVER
    

Fix information

  • Fixed component name

    IBM TIV IDENT M

  • Fixed component ID

    5724C3404

Applicable component levels

  • R500 PSY

       UP



Document information

More support for: IBM Security Identity Manager
Server

Software version: 500

Reference #: IZ54747

Modified date: 17 February 2010


Translate this page: