IBM Support

PM22477: [wi 131186] RTC is vulnerable to stored Cross Site Scripting (XSS) attacks

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The application is vulnerable to stored Cross Site Scripting
(XSS) attacks
exploitable by authenticated users. The application neither
performs
adequate input validation prior to processing user controlled
data nor
performs appropriate encoding of user supplied data prior to
rendering the
same.

Users with malicious intent can exploit the vulnerability by
publishing
shared reports with malicious scripts. Such an action is
automatically
communicated to all the team members belonging to that project
through the
eclipse client RSS feeds.  The injected scripts get executed in
the
browser of users accessing the shared report.

Successful exploitation can allow execution of arbitrary script
code in a
user' browser session which may allow stealing cookie based
auentication credentials.
Successful exploitation of the vulnerability can allow an
attacker to gain access to the authenticated session of
privileged users like project owners and thereby gain access to
privileged administrative functionality  and/or potentially
sensitive data.

Expectation:
The web application must perform adequate output encoding prior
to
rendering/presenting the data received from any client.  It is
also
recommended that the application perform adequate input
validation of all
user controlled data, thereby accepting only explicitly defined
set of
allowed characters.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:                                              *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
When we enter a report name in the Web UI, some characters
are not properly escaped. Thus they are rendered when we run
the report.

    



Problem conclusion


    

  • We need to parse and escape the report name before saving it

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PM22477
    • 

  • Reported component name
    RTC STD ED
    • 

  • Reported component ID
    5724V0403
    • 

  • Reported release
    200
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2010-09-14
    • 

  • Closed date
    2011-02-04
    • 

  • Last modified date
    2011-02-04
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    RTC STD ED
    • 

  • Fixed component ID
    5724V0403
    • 



Applicable component levels


    

  • R200  PSN
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSCP65","label":"Rational Team Concert"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"2.0","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            04 February 2011
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback