Various functions fail in administration portlets with CSS protection enabled in eTrust SiteMinder

Technote (troubleshooting)


Problem

When attempting to perform various operations in an administration portlet in WebSphere® Portal, you receive the following message:

Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This Web site does not allow URLs which might include embedded HTML tags."

Symptom


Example scenarios where issue can occur:

A) Add a portlet to a page

1. Edit the page layout for any page.
2. Click on Add Portlets
3. Select any portlet and Click OK. (Clicking Cancel will also create the same error)

Error message received:

Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden.  This web site does not allow Urls which might include embedded HTML tags.

NOTE: Bad CSS character in this case is "%3B"

B) Add a user to a group

1. Under Administration, navigate to Access>Users and Groups
2. Select a group for which you would like to add a new member.
3. Search for a User you would like to add
4. Select the user and click OK or Cancel.

Error message received:

Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden.  This web site does not allow Urls which might include embedded HTML tags.

NOTE: Bad CSS character in this case is "%22"

C) Create a URL mapping

1. Under Administration, navigate to Portal Settings>URL Mapping
2. Select an existing context or create a new one and then click Edit mapping
3. Click OK or Cancel.

Error message received:

Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden.  This web site does not allow Urls which might include embedded HTML tags.

NOTE: Bad CSS character in this case is "%22"

Aside from the above error, another error which can be symptomatic of this issue is:

403 Forbidden   You are not authorized to view this page

Cause

Characters passed as part of the URL are considered by Computer Associates® eTrust SiteMinder™ to be evidence of a possible CSS attack and are thus blocked.

Environment

WebSphere Portal configured with eTrust SiteMinder set up to protect against possible cross site scripting attacks.

Resolving the problem

The issues have been investigated by WebSphere Portal Development and two interim fixes (PK68030 and PK68128) have been created in order to prevent the characters mentioned above from being generated by the administration portlets. These fixes can be obtained via Fix Central.

NOTE: If for any reason the above fixes cannot be installed, IBM® Support confirmed that this issue may be avoided by removing the problem characters from the list of badcsschars on the SiteMinder Policy Server.



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere Portal End of Support Products
Security

Software version:

6.0

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows, i5/OS, z/OS

Software edition:

Enable, Express, Extend, Server

Reference #:

1287575

Modified date:

2012-05-29

Translate my page

Machine Translation

Content navigation