IBM Support

PK70972: CROSS-SITE SCRIPTING VULNERABILITIES WITHIN CLEARCASE RWP SERVER

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Cross-Site Scripting Vulnerabilities within ClearCase RWP server
    
    ClearCase:  7.0.1.1-RATL-RCC-IFIX02
    UNIX:  All Versions
    
    To Reproduce:
    
    1)  Login to the web interface
    2)  Select a View
    3)  Once the VOB page appears, copy the following into the URL:
               ??''??script?alert(1234)?/script?=123
    
    For example:
               http://otter/ccrc/??''??script?alert(1234)?/script?=1
    23
    
    On host Otter, with the following URL, you will see a pop-up win
    dow appear with ?1234? and an OK button:  Once you press OK, you
     are returned to the login screen with ? value?123??  printed at
     the top left of the login prompt.
    
    
    WORKAROUND:  none
    

Local fix

Problem summary

  • The ClearCase Web Interfaces has a cross-site scripting
    (XSS) vulnerability.
    

Problem conclusion

  • Fixed in ClearCase versions 7.0.0.4 and 7.0.1.3
    

Temporary fix

Comments

APAR Information

  • APAR number

    PK70972

  • Reported component name

    CLEARCASE UNIX

  • Reported component ID

    5724G2901

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2008-08-22

  • Closed date

    2008-12-01

  • Last modified date

    2008-12-01

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    CLEARCASE UNIX

  • Fixed component ID

    5724G2901

Applicable component levels

  • R700 PSN

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSSH27","label":"Rational ClearCase"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
01 December 2008