IV84740: VULNERABILITY - DIRECT OBJECT REFERENCE
Closed as fixed if next.
The issue reported is that a user opens their notification record, and then changes the spec id of that record in the URL by changing the last digits to open/view other TRIRIGA records. This is causing security vulnerability because user is able to see other TRIRIGA records which shouldn't be visible for them. Direct Object Reference vulnerabilities relate to the use of identifiers that are directly tied to content within a database or file system. Applications that expose Direct Object References are usually prone to security issues when one user is able to view content that belongs to another user by changing the reference value. Incomplete or inconsistent access controls are typically to blame for this vulnerability.
Fixed. The Notification records with temporary password are viewable to all TRIRIGA users. A workflow has been created to delete the Notification record with temporary password after sending out an email Notification with temporary password to user.This issue will be resolved in our next major release version, which is tentatively planned for 2H 2016.
Reported component name
TRI APPLI SETUP
Reported component ID
NoSpecatt / Xsystem
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Applicable component levels