Skip to main content


PK70972: CROSS-SITE SCRIPTING VULNERABILITIES WITHIN CLEARCASE RWP SERVER

 

APAR status

  • Closed as program error.

Error description

  • Cross-Site Scripting Vulnerabilities within ClearCase RWP server

ClearCase:  7.0.1.1-RATL-RCC-IFIX02
UNIX:  All Versions

To Reproduce:

1)  Login to the web interface
2)  Select a View
3)  Once the VOB page appears, copy the following into the URL:
           ??''??script?alert(1234)?/script?=123

For example:
           http://otter/ccrc/??''??script?alert(1234)?/script?=1
23

On host Otter, with the following URL, you will see a pop-up win
dow appear with ?1234? and an OK button:  Once you press OK, you
 are returned to the login screen with ? value?123??  printed at
 the top left of the login prompt.


WORKAROUND:  none

Local fix

  • 



Problem summary


    

  • The ClearCase Web Interfaces has a cross-site scripting
(XSS) vulnerability.

    



Problem conclusion


    

  • Fixed in ClearCase versions 7.0.0.4 and 7.0.1.3

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PK70972
    • 

  • Reported component name
    CLEARCASE UNIX
    • 

  • Reported component ID
    5724G2901
    • 

  • Reported release
    700
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2008-08-22
    • 

  • Closed date
    2008-12-01
    • 

  • Last modified date
    2008-12-01
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    CLEARCASE UNIX
    • 

  • Fixed component ID
    5724G2901
    • 



Applicable component levels


    

  • R700  PSN
       UP
    • 








		


		
Copyright and trademark information

		

			
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide.  Other product and service names might be trademarks of IBM or other companies.  A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.

		

		


		

		
Rate this page

		

			
Please take a moment to complete this form to help us better serve you.

		

		
		

		
		
		
		
		
		
		

		

			
This material provides me with the information I need.

		

		

		

			 

			 

			 

			 

			 

		

		

		

  		
		

		

			
This material is clear and easy to understand.

		

		

		

			 

			 

			 

			 

			 

		

		

		

  		

		

		

			
Did the information help you to achieve your goal?

		

		

		

			
			
			
		

		

		


		

		

			
What updates, improvements, or related information would you like to see in this document?

		

		

			

		

		


		

			
Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.

		

		

			
Input the verification number to submit feedback:

		

		

			


		

		

		

			

		

		

		


		

		
		





Close [x]









   



Maintenance Window
 








     

  • The IBM Technical support pages, including the Downloads and Drivers Finders will be temporarily unavailable for up to 4 hours due to planned maintenance. This will take place between Saturday November 14, 2009 9:00 PM ET and Sunday, November 15, 2009 7:00 AM ET. During the maintenance, you will not be able to search or download from these pages.
    • 






   
















Close [x]









   



Unscheduled Maintenance Window









There is no unscheduled maintenance scheduled at this time.





   










		

			


			

				





		

		
		


		
Document information

		

			
Product categories:

		
		
Software
Software Development
Change, Configuration, & Release Management
Rational ClearCase

		
		

		
			
Software version:

			
700

			

		

		

		
			
Reference #:

			

		PK70972
			

			

		

			
IBM Group:

			
Software Group

			

			
Modified date:

			
2008-12-01

		

		


		
Translate my page

		

			

			

			
			

			
			
			
			

		

		


		
Rate this page

		

			
		

		


		

		
			
Availability Notices