PM22477: [wi 131186] RTC is vulnerable to stored Cross Site Scripting (XSS) attacks

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • The application is vulnerable to stored Cross Site Scripting
    (XSS) attacks
    exploitable by authenticated users. The application neither
    performs
    adequate input validation prior to processing user controlled
    data nor
    performs appropriate encoding of user supplied data prior to
    rendering the
    same.
    
    Users with malicious intent can exploit the vulnerability by
    publishing
    shared reports with malicious scripts. Such an action is
    automatically
    communicated to all the team members belonging to that project
    through the
    eclipse client RSS feeds.  The injected scripts get executed in
    the
    browser of users accessing the shared report.
    
    Successful exploitation can allow execution of arbitrary script
    code in a
    user' browser session which may allow stealing cookie based
    auentication credentials.
    Successful exploitation of the vulnerability can allow an
    attacker to gain access to the authenticated session of
    privileged users like project owners and thereby gain access to
    privileged administrative functionality  and/or potentially
    sensitive data.
    
    Expectation:
    The web application must perform adequate output encoding prior
    to
    rendering/presenting the data received from any client.  It is
    also
    recommended that the application perform adequate input
    validation of all
    user controlled data, thereby accepting only explicitly defined
    set of
    allowed characters.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    When we enter a report name in the Web UI, some characters
    are not properly escaped. Thus they are rendered when we run
    the report.
    

Problem conclusion

  • We need to parse and escape the report name before saving it
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM22477

  • Reported component name

    RTC STD ED

  • Reported component ID

    5724V0403

  • Reported release

    200

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2010-09-14

  • Closed date

    2011-02-04

  • Last modified date

    2011-02-04

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    RTC STD ED

  • Fixed component ID

    5724V0403

Applicable component levels

  • R200 PSN

       UP



Rate this page:

(0 users)Average rating

Document information


More support for:

Rational Team Concert

Software version:

2.0

Reference #:

PM22477

Modified date:

2011-02-04

Translate my page

Machine Translation

Content navigation