HD80332: SECURITY HOLE IN WEB EDITOR

APAR status

• Closed as program error.

Error description

• Security hole in Web Editor
  
  Scenario:
  1. Create a document class and give permissions to joe only.
  2. When someone else but joe logs onto Web editor, and does a
     search on this new class no results are returned as expected.
  3. Login as joe and search for an object created for this new
     class. click on the email icon, and send the mail to bob.
  4. When bob clicks on the link in the email, he can view the
     profile card of the object, but when he clicks on viewer he
     gets an unauthorized operation error. Bob shouldn't be able
     to view the profile card in the first place as he doesn't
     have any access to this class.  This is a security hole in
     the web editor.
  .
  

Local fix

Problem summary

• security hole in Web Editor
  security hole in Web Editor
  Scenario:
  1. Create a document class and give permissions
  to joe only.
  2. When someone else but joe logs onto Web editor
  and does a search on this new class no results are
  returned as expected.
  3. login as joe and search for an object created for
  this new class. click on the email icon and send the
  mail to bob.
  4. When bob clicks on the link in the email he can
  view the profile card of the object but when he
  clicks on viewer he gets an unauthorized operation
  error. bob shouldn't be able to view the profile card
  in the first place as he doesn't have any access to
  this class. this is a security hole in the web
  editor.
  .
  

Problem conclusion

• THIS PROBLEM WILL BE FIXED ON SMARTEAM
  VERSION 5 RELEASE 18 SP08 LEVEL.
  .
  .
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  SMARTEAM NT>XP

• Fixed component ID

  569199970

Applicable component levels

• R518 PSN

     UP