APAR status
Closed as program error.
Error description
The application is vulnerable to stored Cross Site Scripting (XSS) attacks exploitable by authenticated users. The application neither performs adequate input validation prior to processing user controlled data nor performs appropriate encoding of user supplied data prior to rendering the same. Users with malicious intent can exploit the vulnerability by publishing shared reports with malicious scripts. Such an action is automatically communicated to all the team members belonging to that project through the eclipse client RSS feeds. The injected scripts get executed in the browser of users accessing the shared report. Successful exploitation can allow execution of arbitrary script code in a user' browser session which may allow stealing cookie based auentication credentials. Successful exploitation of the vulnerability can allow an attacker to gain access to the authenticated session of privileged users like project owners and thereby gain access to privileged administrative functionality and/or potentially sensitive data. Expectation: The web application must perform adequate output encoding prior to rendering/presenting the data received from any client. It is also recommended that the application perform adequate input validation of all user controlled data, thereby accepting only explicitly defined set of allowed characters.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * **************************************************************** * PROBLEM DESCRIPTION: * **************************************************************** * RECOMMENDATION: * **************************************************************** When we enter a report name in the Web UI, some characters are not properly escaped. Thus they are rendered when we run the report.
Problem conclusion
We need to parse and escape the report name before saving it
Temporary fix
Comments
APAR Information
APAR number
PM22477
Reported component name
RTC STD ED
Reported component ID
5724V0403
Reported release
200
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2010-09-14
Closed date
2011-02-04
Last modified date
2011-02-04
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
RTC STD ED
Fixed component ID
5724V0403
Applicable component levels
R200 PSN
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSCP65","label":"Rational Team Concert"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"2.0","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]
Document Information
Modified date:
04 February 2011