IC90714: (SSPCM) PEN TEST: M-001 APPLICATION PAGES DO NOT BREAK OUT OF 3RD PARTY HTML FRAMES

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • M-001 Application Pages Do Not Break Out of 3rd Party
    HTMLFrames Implement a Frame Killer L3 Comment: SSP Engineering
    : Investigating (affects SSP CM and SEAS)
    

Local fix

  • STRRTC - 367009
    DE/RJ
    Circumvention:
    Update to latest SSP Build 3.4.1.7
    

Problem summary

  • Security scan revealed that Sterling Secure Proxy Configuration
    Manager pages permit rendering within third party HTML frames.
    An internal attacker could potentially control elements of the
    framed pages and obtain unauthorized access to data.
    

Problem conclusion

  • Implemented frame options within the SSP CM web pages to keep
    third party applications from rendering the frames.
    

Temporary fix

  • Implemented "frame killer" attributes in the CM screens to
    prevent hijacking.
    

Comments

  • Fix included in SSP3417.
    

APAR Information

  • APAR number

    IC90714

  • Reported component name

    STR SECURE PROX

  • Reported component ID

    5725D0300

  • Reported release

    341

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-03-08

  • Closed date

    2013-05-01

  • Last modified date

    2013-05-01

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    STR SECURE PROX

  • Fixed component ID

    5725D0300

Applicable component levels

  • R341 PSY

       UP



Rate this page:

(0 users)Average rating

Document information


More support for:

Sterling Secure Proxy

Software version:

341

Reference #:

IC90714

Modified date:

2013-05-01

Translate my page

Machine Translation

Content navigation