IBM Support

PI56450: MODIFICATION OF FAVOURITES ALLOWS EXECUTION OF JAVASCRIPT VIA THE WELCOME SCREEN

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • If you modify a favourite location with some javascript code,
    that code will get executed when the favourites are shown in the
    welcome screen.
    
    To recreate:
    
     - add some DB location as a favourite using File;Favorites;Add
    to Favorites
     - select File;Favorites;Organize Favorites
     - select the previously added entry and click <Edit>
     - replace the name with code such as the following and apply
    the change:
    
    "<img src=0 onerror=alert("helloWorld")>"
    
     - open the welcome screen using Help;Welcome Screen and you
    will see that the code it run.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * All users.                                                   *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * It is possible to change Favourites so that code injection   *
    * occurs.                                                      *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    

Problem conclusion

  • This has been resolved in the DOORS 9616 release.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI56450

  • Reported component name

    TLOGIC DOORS

  • Reported component ID

    5724V61DR

  • Reported release

    930

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-02-02

  • Closed date

    2016-03-29

  • Last modified date

    2016-03-29

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    TLOGIC DOORS

  • Fixed component ID

    5724V61DR

Applicable component levels

  • R961 PSY

       UP



Document information

More support for: Rational DOORS

Software version: 9.3

Reference #: PI56450

Modified date: 29 March 2016