IBM Support

IT21259: REPEATEDLY BEING ABLE TO HIT THE CHANGE PASSWORD PAGE WITHOUT GETTING BLOCKED IN THE MYFILEGATEWAY INTERFACE

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The Change Password module in myFilegateway is accessible
    directly without any authentication.
    This leads to changing of user credentials by any
    anonymous user by brute forcing the old password value of the
    victim user. (Improper session management and brute force
    attack.)
    

Local fix

  • STRRTC - 532041
    PdO / PdO
    Circumvention: None
    

Problem summary

  • Users Affected:
    All
    
    Problem Description:
    
    IBM Sterling File Gateway / MyFileGateway repeatedly hits the
    Change Password page with an HTTP proxy tool without getting
    blocked in MyFileGateway.
    
    Platforms Affected:
    All
    

Problem conclusion

  • Resolution Summary:
    
    A code fix is provided.
    The following 2 properties are included in the
    customer_overrides.properties file:
    
    filegateway_ui.FGConsecFailedAttempts
    filegateway_ui.FGLockInterval
    
    Delivered In:
    5020500_16
    5020601_8
    5020603_3
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT21259

  • Reported component name

    STR FILE GATEWA

  • Reported component ID

    5725D0700

  • Reported release

    225

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-06-30

  • Closed date

    2017-07-19

  • Last modified date

    2017-11-06

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    STR FILE GATEWA

  • Fixed component ID

    5725D0700

Applicable component levels

[{"Line of Business":{"code":"LOB02","label":"AI Applications"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS4TGX","label":"IBM Sterling File Gateway"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"2.2"}]

Document Information

Modified date:
03 March 2021