IBM Support

OA14904: INSUFFICIENT VALIDATION OF THE SKIN PARAMETER VALUE LEADING TO A TBSM CROSS-SITE SCRIPTING VULNERABILITY

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All TBSM 3.1 Users.                          *
    ****************************************************************
    * PROBLEM DESCRIPTION: There is potential Cross Site           *
    *                      Scripting vulnerability that might      *
    *                      allow someone to form a malicious URL   *
    *                      link to the TBSM Web Console.  The      *
    *                      vulnerability would be fairly           *
    *                      difficult to exploit - it would require *
    *                      knowledge of the server system and      *
    *                      would require convincing actual         *
    *                      authorized users to access the system   *
    *                      via a link that has been modified to    *
    *                      contain malicious code that might       *
    *                      then compromise security.  The          *
    *                      vulnerability only exists on links      *
    *                      directly to the English help panels.    *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    The English help panels were providing an unused ability to
    modify the appearance slightly via a passed-in parameter.
    There was insufficient validation being performed on the
    provided value of this parameter  prior to usage which could
    potentially allow malicious code to be  returned and executed
    by a user's browser.
    

Problem conclusion

  • The code which processes the optional help parameter now
    performs additional validation that prevents any malicious
    code from being  interjected and executed.
    
    The fix for this APAR is contained in the following maintenance
    packages:
    | LA interim fix | 3.1.0.1-TIV-BSM-LA0112
    | LA interim fix | 3.1.0.1-TIV-BSM-LA0116
    

Temporary fix

Comments

APAR Information

  • APAR number

    OA14904

  • Reported component name

    TIVOLI BSM OS/

  • Reported component ID

    5698BSM00

  • Reported release

    31D

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2006-01-16

  • Closed date

    2006-03-17

  • Last modified date

    2006-03-17

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    TIVOLI BSM OS/

  • Fixed component ID

    5698BSM00

Applicable component levels

  • R20D PSN

       UP

  • R21D PSN

       UP

  • R21E PSN

       UP

  • R31D PSY

       UP



Document information

More support for: Tivoli Business Systems Manager

Software version: 31D

Reference #: OA14904

Modified date: 17 March 2006