APAR status
Closed as program error.
Error description
One can forcefully browse the internal pages (containing log files) of the application without any authentication. These logs can be displayed without any authentication using HTTP on base port and using HTTPS on base port + 1. http://9.155.214.146:10000/dashboard/jsp/LogViewIframe.jsp?logFi le=Log.AdminLog http://9.155.214.146:10000/dashboard/jsp/LogViewIframe.jsp?logFi le=Log.Archive http://9.155.214.146:10000/dashboard/jsp/LogViewIframe.jsp?logFi le=Log.Authentication http://9.155.214.146:10000/dashboard/jsp/LogViewIframe.jsp?logFi le=Log.BPDeadline http://9.155.214.146:10000/dashboard/jsp/LogViewIframe.jsp?logFi le=Log.FileGateway http://9.155.214.146:10000/dashboard/jsp/LogViewIframe.jsp?logFi le=Log.FTP http://9.155.214.146:10000/dashboard/jsp/LogViewIframe.jsp?logFi le=Log.HTTP http://9.155.214.146:10000/dashboard/jsp/LogViewIframe.jsp?logFi le=Log.Jetty http://9.155.214.146:10000/dashboard/jsp/LogViewIframe.jsp?logFi le=Log.Mailbox http://9.155.214.146:10000/dashboard/jsp/LogViewIframe.jsp?logFi le=Log.neo http://9.155.214.146:10000/dashboard/jsp/LogViewIframe.jsp?logFi le=Log.NoApp http://9.155.214.146:10000/dashboard/jsp/LogViewIframe.jsp?logFi le=Log.Perimeter http://9.155.214.146:10000/dashboard/jsp/LogViewIframe.jsp?logFi le=Log.PsFtpClientAdapter http://9.155.214.146:10000/dashboard/jsp/LogViewIframe.jsp?logFi le=Log.ResourceMonitorLog http://9.155.214.146:10000/dashboard/jsp/LogViewIframe.jsp?logFi le=Log.ScheduleLog http://9.155.214.146:10000/dashboard/jsp/LogViewIframe.jsp?logFi le=Log.Security http://9.155.214.146:10000/dashboard/jsp/LogViewIframe.jsp?logFi le=Log.ServicesController http://9.155.214.146:10000/dashboard/jsp/LogViewIframe.jsp?logFi le=Log.SFTPClient http://9.155.214.146:10000/dashboard/jsp/LogViewIframe.jsp?logFi le=Log.socketclient http://9.155.214.146:10000/dashboard/jsp/LogViewIframe.jsp?logFi le=Log.SWNET7ADPTR http://9.155.214.146:10000/dashboard/jsp/LogViewIframe.jsp?logFi le=Log.SystemLog http://9.155.214.146:10000/dashboard/jsp/LogViewIframe.jsp?logFi le=Log.txlogger http://9.155.214.146:10000/dashboard/jsp/LogViewIframe.jsp?logFi le=Log.visibility http://9.155.214.146:10000/dashboard/jsp/LogViewIframe.jsp?logFi le=Log.WorkFlow Simulation Steps: Replicated with the latest version of IBM Sterling B2B Integrator V5.2.5 and 5.2.4 / IBM Sterling File Gateway V2.2.6.2. Supporting Documentation/Asset Location: https://ecurep.mainz.de.ibm.com/rest/download/76603%2C024%2C677/ 2016-10-25/76603.024.677.Forceful_Browsing.docx Dump_info: https://ecurep.mainz.de.ibm.com/rest/download/76603%2C024%2C677/ 2016-10-27/76603.024.677.DumpInfo27Aug.txt Observations: None Expected Behavior: The application should implement proper session management which should allow only the authenticated users to access the internal authenticated pages of the application.
Local fix
Problem summary
Users Affected: All Problem Description: IBM Sterling B2B Integrator logs are displayed without authentication due to forceful browsing. Platforms Affected: All
Problem conclusion
Resolution Summary: A code fix is provided. Delivered In: 5020500_16 5020601_8 5020603_3
Temporary fix
Comments
APAR Information
APAR number
IT20031
Reported component name
STR B2B INTEGRA
Reported component ID
5725D0600
Reported release
525
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-04-04
Closed date
2017-07-20
Last modified date
2017-11-15
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
STR B2B INTEGRA
Fixed component ID
5725D0600
Applicable component levels
R525 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS3JSW","label":"IBM Sterling B2B Integrator"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.2.5","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]
Document Information
Modified date:
15 November 2017