IBM Support

IC90704: (SSPCM) PEN TEST: SSP01 (L) DISABLE AUTOCOMPLETE HTML ATTRIBUTE FOR PASSWORD FIELD

Direct links to fixes

3.4.1.8-SterlingSecureProxy-Windows-if0009
3.4.1.8-SterlingSecureProxy-SolarisSPARC-if0009
3.4.1.8-SterlingSecureProxy-Linux-if0009
3.4.1.8-SterlingSecureProxy-Linux_S390-if0009
3.4.1.8-SterlingSecureProxy-HP-if0009
3.4.1.8-SterlingSecureProxy-HP-IA-if0009
3.4.1.8-SterlingSecureProxy-AIX-if0009

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • SSPcm - Web Security Scanning Vulnerabilities - Autocomplete
HTML Attribute Not Disabled for Password Field
User using a web scanning tool to track vulnerabilities in
regards to the Secure Proxy Configuration Manager tool.

Issue: The "autocomplete" attribute has been standardized in
the HTML5 standard. W3C's site states that the attribute has
two states, "on" and "off",
and that omitting it altogether is equivalent to setting it to
"on". This page is vulnerable since it does not set the
"autocomplete" attribute to "off" for the
"User Name" and "password" field in the "input" element. This
may enable an unauthorized user (with local access to an
authorized client) to autofill
the username and password fields, and thus log in to the site
or locked the valid user account.

Recommended Task: The "autocomplete" attribute has been
standardized in the HTML5 standard. W3C's site states that the
attribute has two states,
"on" and "off", and that omitting it altogether is equivalent
to setting it to "on".


Environment:
IBM Rational AppScan 8.5 tool is used for the Web Scanning
Sterling Secure Proxy 3.4.1

Local fix

  • STRRTC - 367240
RJ/RJ
Circumvention:
Update to latest SSPcm Build

Problem summary

  • Customer security scan determined that the password field in
the SSP Configuration Manager login page should not allow the
browser to use the autocomplete function.

Problem conclusion

  • Corrrected the SSP CM Login page to set Autocomplete=false on
the password field when the page is initialized.

Temporary fix

  • Updated CM GUI logon page to disable the autocomplete feature
on the password field.

Comments

  • Fix included in SSP3417.

APAR Information

  • APAR number

    IC90704

  • Reported component name

    STR SECURE PROX

  • Reported component ID

    5725D0300

  • Reported release

    341

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2013-03-07

  • Closed date

    2013-05-01

  • Last modified date

    2013-05-01

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    STR SECURE PROX

  • Fixed component ID

    5725D0300

Applicable component levels

  • R341 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS6PNW","label":"IBM Sterling Secure Proxy"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"341","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]

Document Information

Modified date:
01 May 2013

Page Feedback