IBM Support

IV83657: CROSS SITE REQUEST FORGERY (CSRF) ATTACK VULNERABILITY

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as fixed if next.

Error description

  • CSRF attacks force an authenticated victim's browser to send an
    unauthenticated request to a vulnerable web application, which
    then performs unauthorized action on behalf of the attacker.
    This issue has been identified in various places throughout the
    application.  This APAR is specifically for the example below.
    
    Reproduction steps:
    1. Set the KNOWN_REFERRER_LIST to the host name
    2. Restart the Tririga Application Server
    3. Navigate to the Configure -> People -> Employees
    4. Select any existing employee
    5. Click on Delete button and intercept the form (See sample
    form below)
    6. Change the sNo field in the form to that of another user
    7. Save the form as an html file and open in the browser where
    you are currently logged on to Tririga
    8. Submit the CSRF form and see that the other user is deleted
    

Local fix

  • No
    

Problem summary

  • TITLE:  IBM TRIRIGA Application Platform is vulnerable to a
    Cross Site Request Forgery Attack.  (CVE-2016-0386)
    CVEID: CVE-2016-0386CVSS
    Base Score: 8CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/112360 for
    the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)
    

Problem conclusion

  • Resolution for this issue is targeted to the 1h2016 release,
    3.5.0.2, 3.4.2.4 and 3.3.2.6 fix packs
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV83657

  • Reported component name

    TRI APP PLTFM R

  • Reported component ID

    5725F26RE

  • Reported release

    350

  • Status

    CLOSED FIN

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-04-12

  • Closed date

    2016-04-20

  • Last modified date

    2016-04-20

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Modules/Macros

  • 999
    

Fix information

Applicable component levels



Document information

More support for: IBM TRIRIGA Application Platform
IBM TRIRIGA Application Platform Runtime Engine

Software version: 350

Reference #: IV83657

Modified date: 20 April 2016