IBM Support

IV72630: CROSS SITE SCRIPTING POST-AUTHENTICATION - ACROSS THE APPLICATION

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as fixed if next.

Error description

  • This specific scenario is regarding :
    
    A Cross Site Scripting (XSS) attack occurs when an attacker
    uses the web application to inject malicious code in the form
    of a client side script - arbitrary Java Script - to an end
    user.
    
    As a result of the attack being successful, this
    attacker-controlled content is executed in the context of the
    current user. A potential session theft may occur if the user
    is logged in. If the user is not logged in, the attacker can
    retain the session cookie until it can be reasonably assumed
    that the user has logged in. The attacker gains full control
    over the victim's account. As the application assumes the
    script originated from a trusted source, the malicious script
    can access any cookies, sessions tokens, or other sensitive
    information retained by the client and used with that site.
    These scripts can even rewrite the content of the HTML page.
    
    This issue has been observed across the application.
    

Local fix

  • N/A
    

Problem summary

  • The unescaped values from user input needed to be removed from
    the json array.
    

Problem conclusion

  • Cross site scripting attacks in "My Reports" have been
    mitigated. Entering script code in a new report's Name, ID,
    Header, or Tag name will no longer cause the scripts to execute
    after accessing the report within the application.  This is
    targeted for the 3.4.2 mod release, and 3.4.1.2 fix pack.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV72630

  • Reported component name

    TRI APP PLTFM R

  • Reported component ID

    5725F26RE

  • Reported release

    341

  • Status

    CLOSED FIN

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2015-04-22

  • Closed date

    2015-04-27

  • Last modified date

    2015-04-27

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Modules/Macros

  • 999
    

Fix information

Applicable component levels

  • R341 PSY

       UP



Document information

More support for: IBM TRIRIGA Application Platform
IBM TRIRIGA Application Platform Runtime Engine

Software version: 341

Reference #: IV72630

Modified date: 27 April 2015