APAR status
Closed as program error.
Error description
Users of the Filegateway and EBICS Client application are able to carry out or access information otherwise restricted to them. This includes: 1) SFG admin user can reset other SFG admin or other user's password via the filegateway interface. By replacing the userid sent in the body of the request while resetting their own account, it is possible to reset other user's password. Normally, SFG admin has to log into the EBICS dashboard to reset the password, but this is done via the Filegateway interface. Note, that the attacker needs to know the target username and get the current password of the victim correct for successful attack. However, as the application has a weak password policy, and this request is not protected against CSRF attacks, it is possible to bruteforce the target account with common weak passwords. Please note that it is not clear whether the Filegateway interface sends information to the EBICS dashboard on the server side. It is not verified whether this attack can be carried out by a low privileged user as such an account was not facilitated for Filegateway. 2) A user is able to view event logs accessible to another user (non-admin). By manipulating the event log ID number sent as part of the URI, it is possible to access other user's event logs even when it is not visible to the current user. Due to the uncertainties around the full extent of the issues, this issue has been given a medium risk rating. However, this issue should be treated as a priority and resolved at the earliest. IMPACT: 1) The impact of this issue is currently rated as medium as the information currently being logged did not contain any sensitive information. However, the full extent of this issue is unknown as it is not known whether admin level users can access EBICS Client and if logs may contain sensitive information. This technique could be used to enumerate valid usernames. 2) The impact of this issue is currently rated as medium as initial tests show that the attack does not work on the administration panel of EBICS dashboard. However, it is not known if this information is used on a separate application, outside the scope of this engagement. REMEDIATION: All administrative functions should be hidden from low privilege users and should require authentication to perform the actions. Only administrators should be able to perform administrative functions.
Local fix
No workaround exists.
Problem summary
Users Affected: All EBICS Users Problem Description: In the EBICS client one user was able to see the event details corresponding to another user. Platforms Affected: All
Problem conclusion
Resolution Summary: A code fix is provided. Delivered In: 5020603_3
Temporary fix
Comments
APAR Information
APAR number
IT21980
Reported component name
STR B2B INTEGRA
Reported component ID
5725D0600
Reported release
525
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-08-11
Closed date
2017-11-20
Last modified date
2017-11-21
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
STR B2B INTEGRA
Fixed component ID
5725D0600
Applicable component levels
R526 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS3JSW","label":"IBM Sterling B2B Integrator"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.2.5","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}}]
Document Information
Modified date:
21 November 2017