IBM Support

IV07099: PAGES ON THE APPLICATION ARE ALLOWED TO BE CAPTURED WITHIN A FRAME FROM ANOTHER SERVER.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • PROBLEM:

Pages on the application are allowed to be captured within a
frame from another server. This can be exploited by
attackers by sending a forged link to a user. The link will be
to a malicious page with this application captured in a
frame. All activity by the user can be monitored and
recorded by the attacker allowing the compromise of the
username, password, or any other sensitive input the user
enters.

Earlier versions of Cross Frame scripting could be prevented
by a frame busting script like the following. However, the
new variations of the finding are able to frame the page even
when the following fix is applied making the following
script insufficient.

<script LANGUAGE="JAVASCRIPT">
if(top != self)
{
top.location=self.location;
}
</script>

A page vulnerable to XFSv2 also leads to other
vulnerabilities such as clickjacking. Clickjacking takes the
form of embedded code or script that can execute without the
user's knowledge, such as clicking on a button that appears
to perform another function. For more on clickjacking,
please visithttp://en.wikipedia.org/wiki/Clickjacking
Affected Links
https://cloud-dev.nam.nsroot.net:9443/SimpleSRM/
https://cloud-dev.nam.nsroot.net:9443/maximo

Steps to reproduce:  See above

Current Erroneous Results:  Page vulnerability

Expected result:  Page is secured.

Additional Info:

ENVIRONMENT:
- TSAM 7213
- MBS  7116
- OS  Linux 5.6
- DB2 95

Local fix

  • n/a

Problem summary

  • ***************************************************
* USERS AFFECTED: Citi
***************************************************
* PROBLEM DESCRIPTION: It is possible to access the Simple SRM
UI via frames and steal sensitive data.
***************************************************
* RECOMMENDATION:
Cross frame scripting issue is handled by the
7.2.1.4-TIV-TSAM-LA0008.zip fix supplied.

Problem conclusion

  • Citi should apply 7.2.1.4-TIV-TSAM-LA0008.zip to resolve cross
frame sripting issues.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IV07099
    • 

  • Reported component name
    TSAM (& INSTALL
    • 

  • Reported component ID
    5724W7800
    • 

  • Reported release
    721
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2011-08-30
    • 

  • Closed date
    2011-10-07
    • 

  • Last modified date
    2011-10-07
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    TSAM (& INSTALL
    • 

  • Fixed component ID
    5724W7800
    • 



Applicable component levels


    








      
              
                            

              

              [{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFG5E","label":"Tivoli Service Automation Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"721"}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            09 November 2020
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback