IT04830: CROSS SITE SCRIPTING VULNERABILITIES IN QUEUE WATCHER

Direct link to fix

5.2.6.0

APAR status

Closed as program error.

Error description

XSS vulnerabilities reported in Queue watcher as follows:

1. Reflected Cross-Site Scripting (XSS) Vulnerabilities
(CWE-79)
By exploiting the parameter "title", the payloads section will
display a list of tests that show how the parameter could have
been exploited to collect information. The path followed by the
scanner to detect this was:
https://<IP address>:<port #>/queueWatch/queueWatcher
The payload was:
title=%22'%3E%3Cqss%20%60%3b!--%3D%26%7b()%7d%3E
The request was: GET https://<IP address>:<base +1 port
#>/queueWatch/login.jsp?title=%22'%3E%3Cqss%20%60%3b!--%3D%26%7b
()%7d%3E

2. Browser-Specific Cross-Site Scripting Vulnerabilities
(CWE-79)
By exploiting the parameter "title", the payloads section will
display a list of tests that show how the parameter could have
been exploited to collect information. The path followed by the
scanner to detect this was:
https://<IP address>:<port #>/queueWatch/queueWatcher
The payload was:
title=%3Cscript%20src%3Dhttp%3A%2F%2Flocalhost%2Fj%20
The request was:  GET https://<IP address>:<port
#>/queueWatch/login.jsp?title=%3Cscript%20src%3Dhttp%3A%2F%2Floc
alhost%2Fj%20

3. Unencoded Characters  (CWE-79)
The web application reflects potentially dangerous characters
such as single quotes, double quotes, and angle brackets. These
characters are commonly used
for HTML injection attacks, in particular cross-site scripting
(XSS). The path followed by the scanner to detect this was:
https://<IP address>:<port #>/queueWatch/queueWatcher
The payload was:
title=%3C%0a%0dscript%20a%3D4%3Eqss%3D7%3C%0a%0d%2Fscript%3E
The request was:  GET
https://148.93.7.238:10001/queueWatch/login.jsp?title=%3C%0a%0ds
cript%20a%3D4%3Eqss%3D7%3C%0a%0d%2Fscript%3E

Local fix

STRRTC - 444725
NM / NA
Circumvention: None

Problem summary

Cross Site Scripting vulnerabilities in Queue Watcher.

Users Affected:
All

Platforms Affected:
All

Problem conclusion

queueWatcher URL has Cross Site Scripting vulnerabilities.
The issue is fixed.

Delivered In:
5020600

Temporary fix

Comments

APAR Information

APAR number
IT04830
Reported component name
STR B2B INTEGRA
Reported component ID
5725D0600
Reported release
524
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2014-10-08
Closed date
2015-10-29
Last modified date
2015-12-15

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
STR B2B INTEGRA
Fixed component ID
5725D0600

Applicable component levels

R526 PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS3JSW","label":"IBM Sterling B2B Integrator"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.2.4","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]

Document Information

Modified date:
15 December 2015

Tips

IT04830: CROSS SITE SCRIPTING VULNERABILITIES IN QUEUE WATCHER

Subscribe to this APAR

Direct link to fix

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R526 PSY

Document Information

Share your feedback

Need support?