PJ40949: BPF IS SUSCEPTIBLE TO XXE (XML EXTERNAL ENTITY) ATTACKS

APAR status

• Closed as program error.

Error description

• How long has the problem been occurring (describe any recent
  changes)?
  Always
  
  Is there a workaround? (Yes ? describe, or No)
  No
  
  What is the impact to the customer/system?
  End customer system has failed their PCI compliance audit which
  is required for their business
  
  Steps to Reproduce:
  Steps tested in-house and taken from customer's attached PDF
  file:
  1. Install and start fiddler2 (http://www.fiddler2.com)
  2. Logon to BPF
  3. Using fiddler post the following 'attack' request as per page
  1 of the customer's PDF:
      <!DOCTYPE foobar [<!ENTITY xxe SYSTEM
  'testfile'>]><Request><Action>&xxe;<Param></Param></Action></Req
  uest>
  4. In fiddler note that the reply received is as per the
  customer's description
  5. Other steps from the customer's document can be followed and
  the results are as described
  
  Attachments:
  Customer PDF describing XXE attack found:
  https://ecurep.mainz.de.ibm.com:444/rest/download/20462,140,702/
  mail20121212-112043-Petri.Pietilainen/BPF_security_issues.pdf
  
  Additional Information:
  The full attack header that was used in house with fiddler2 is
  for step 3 (and subsequent) is:
  
  POST http://cn-site:9080/bpf/dispatchAction HTTP/1.1
  Accept: */*
  Accept-Language: en-ie
  Referer: http://cn-site:9080/bpf/Bp8Main.jsp
  Content-Type: text/xml;charset=UTF-8
  Accept-Encoding: gzip, deflate
  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1;
  WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR
  3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)
  Host: cn-site:9080
  Content-Length: 107
  Connection: Keep-Alive
  Pragma: no-cache
  Cookie:
  bp8-user-name=65|100|109|105|110|105|115|116|114|97|116|111|114;
  JSESSIONID=000022Z9mYzpJsufNvmicQMML1X:-1;
  bpf_childadmin/MainWindow=30%2C1924%2C780%2C1135;
  Administrator/MainWindow=52%2C1909%2C1596%2C1128
  
  <!DOCTYPE foobar [<!ENTITY xxe SYSTEM
  'testfile'>]><Request><Action>&xxe;<Param></Param></Action></Req
  uest>
  
  Configuration/Environment:
  In-house
  Windows 2003
  BPF 4.1.0.7
  
  Windows 7 Client
  MS IE 8.0 32bit
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED:                                              *
  * BPF web application users                                    *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  * BPF is susceptible to XXE (XML eXternal Entity) attacks.     *
  ****************************************************************
  * RECOMMENDATION:                                              *
  * Apply the BPF-4.1.0-010 GA FixPack.                          *
  ****************************************************************
  

Problem conclusion

• The issue is fixed in BPF-4.1.0-010.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  BUS PROC FRAMEW

• Fixed component ID

  5724R7500

Applicable component levels

• R410 PSY

     UP