IBM Support

Enhanced security for the Report Server for Crystal Reports

Technote (FAQ)


Question

How do I configure the ClearQuest Report Server for Crystal Reports to protect against cross-frame scripting attacks?

Answer

Cross-Frame Scripting (XFS) is a client-side security issue whereby attackers exploit bugs in popular web browsers or vulnerabilities on HTML pages to access private data from a third-party website. For a full description of the Cross Frame Scripting issue, see the web page at https://www.owasp.org/index.php/Cross_Frame_Scripting. By default, content returned by the Report Server for Crystal Reports can be embedded without restriction by web applications hosted on other web servers. Use the following instructions to restrict the web domains that can embed content from the Report Server for Crystal Reports.

1) Edit the Report Server for Crystal Reports configuration file
<WebSpherProfileDir>/installedApps/WebSphereAppServer-cell/RationalClearQuestWebReport.ear/CQWebReportModule.war/WEB-INF/classes/crconfiguration.properties

2) Add or update the property named ReferrerDomains, and provide a semicolon separated list of server domain names that are permitted to embed content from the Report Server for Crystal Reports. For example:
ReferrerDomains=www.ibm.com;myclearquestweb.com

3) Stop and restart IBM WebSphere Application Server to activate the configuration changes.

The ClearQuest Web client uses a similar approach to guard against XFS attacks. Some considerations and known issues are described in the Related Information links below.


Related information

ClearQuest Web XFS security update

Document information

More support for: Rational ClearQuest
Reporting

Software version: 8.0, 8.0.0.1, 8.0.0.2, 8.0.0.3

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Reference #: 1590691

Modified date: 08 August 2012