IV83657: CROSS SITE REQUEST FORGERY (CSRF) ATTACK VULNERABILITY

3.5.0-TIV-TAP-FP002-WIN
3.5.0-TIV-TAP-FP002-README
3.5.0-TIV-TAP-FP002-LIN
3.5.0-TIV-TAP-FP002-AIX
3.4.2-TIV-TAP-FP004-WIN
3.4.2-TIV-TAP-FP004-README
3.4.2-TIV-TAP-FP004-LIN
3.4.2-TIV-TAP-FP004-AIX

APAR status

• Closed as fixed if next.

Error description

• CSRF attacks force an authenticated victim's browser to send an
  unauthenticated request to a vulnerable web application, which
  then performs unauthorized action on behalf of the attacker.
  This issue has been identified in various places throughout the
  application.  This APAR is specifically for the example below.
  
  Reproduction steps:
  1. Set the KNOWN_REFERRER_LIST to the host name
  2. Restart the Tririga Application Server
  3. Navigate to the Configure -> People -> Employees
  4. Select any existing employee
  5. Click on Delete button and intercept the form (See sample
  form below)
  6. Change the sNo field in the form to that of another user
  7. Save the form as an html file and open in the browser where
  you are currently logged on to Tririga
  8. Submit the CSRF form and see that the other user is deleted
  

Local fix

• No
  

Problem summary

• TITLE:  IBM TRIRIGA Application Platform is vulnerable to a
  Cross Site Request Forgery Attack.  (CVE-2016-0386)
  CVEID: CVE-2016-0386CVSS
  Base Score: 8CVSS Temporal Score: See
  https://exchange.xforce.ibmcloud.com/vulnerabilities/112360 for
  the current score
  CVSS Environmental Score*: Undefined
  CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)
  

Problem conclusion

• Resolution for this issue is targeted to the 1h2016 release,
  3.5.0.2, 3.4.2.4 and 3.3.2.6 fix packs
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Modules/Macros

• 999
  

Fix information

Applicable component levels