APAR status
Closed as program error.
Error description
For example, if you embed something like ?<script>alert(31521);</script>? into an RTS url, the web page returned will include this in such a way that it will actually execute on the client, in this case causing a pop-up. The problem appears to be on the following three pages (adjust yourServer/teamserver as needed). The ILog Error handling mechanism embeds the bad data that was supplied in the Post or the Get in the page as part of the error message which allows you to execute Javascript code. https://yourServer/teamserver/faces/explore/explore.jsp https://yourServer/teamserver/faces/compose/compose.jsp https://yourServer/teamserver/faces/home.jsp
Local fix
in file teamserver-web-<app>.war edit the file content/internalError.jsp replace line 9 message="#{InternalErrorBean.message}" with message="#{bundle.unknownError}" This will prevent the error message from being displayed directly in the web browser. The message itself is visible protected in the stack trace.
Problem summary
For example, if you embed something like ?<script>alert(31521);</script>? into an RTS url, the web page returned will include this in such a way that it will actually execute on the client, in this case causing a pop-up.
Problem conclusion
Vulnerability fixed.
Temporary fix
Comments
APAR Information
APAR number
RS00133
Reported component name
WS ILOG JRULES
Reported component ID
5724X9800
Reported release
670
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2010-03-01
Closed date
2010-06-21
Last modified date
2010-06-21
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WS ILOG JRULES
Fixed component ID
5724X9800
Applicable component levels
R710 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS6MTS","label":"WebSphere ILOG JRules"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.7","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
21 June 2010