PM38058: CLIENT SIDE VALIDATION OF SERVER SIDE SECURITY

APAR status

• Closed as program error.

Error description

• The Rational Build Forge web application was found to use client
  side controls (JavaScript) to prevent the user from accessing
  certain application functionality under the Security sub-menu.
  It is possible to bypass client side controls by removing the
  disable attribute.
  
  
  Testing identified that there was no server side controls
  applied to the Export Key File function. A low level user can
  export this file.
  
  
  A low privileged non-admin user with access to the web
  application can modify the client side controls. This
  vulnerability may result in the disclosure of sensitive
  in-formation and potentially authorisation bypass. Testing
  performed allowed a low privileged user to export the key file,
  other similar vulnerabilities may exist within the application.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED:                                              *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  The command implementation lacked the appropriate security
  check.
  

Problem conclusion

• The appropriate check for the EditSecurity permission is now
  in place.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  BUILD FORGE EE

• Fixed component ID

  5724S2701

Applicable component levels

• R712 PSN

     UP