IBM Support

JR50358: INSECURE REST URL COULD BE USED TO INJECT JAVASCRIPT

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • REST API URLs like the following URL can be used to inject an
    unsecure JavaScript statement into REST URL parameter 3:
     https://localhost:9443/rest/wesb/v1/[REST URL parameter 3]
    
    The input that is included in the request is echoed in the
    application's response and this input can be used to inject
    JavaScript into a URL, such as the following  URL:
     http://localhost:9080/rest/wesb/v1/<script>alert(1)</script>
    
    As a result, alert(1) runs.
    

Local fix

  • n/a
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM Business Process Manager (BPM)          *
    *                  Advanced                                    *
    *                  IBM BPM Standard                            *
    *                  IBM BPM Express                             *
    ****************************************************************
    * PROBLEM DESCRIPTION: REST API URLs like the following URL    *
    *                      can be used to inject an unsecure       *
    *                      JavaScript statement into REST URL      *
    *                      parameter 3:                            *
    *                      https://localhost:9443/rest/wesb/v1/[R  *
    *                      EST URL parameter 3]                    *
    *                      The input that is included in the       *
    *                      request is echoed in the                *
    *                      application's response and this input   *
    *                      can be used to inject JavaScript into   *
    *                      a URL, such as the following  URL:      *
    *                      http://localhost:9080/rest/wesb/v1/<sc  *
    *                      ript>alert(1)</script>                  *
    *                      As a result, alert(1) runs.             *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    Some REST API URLs are insecure and can be used to inject
    JavaScript.
    

Problem conclusion

  • A fix is available for IBM BPM V8.5.0.1 that corrects how
    potentially insecure REST API URLs are handled.
    
    On Fix Central (http://www.ibm.com/support/fixcentral), search
    for JR50358:
    1. Select IBM Business Process Manager and then Advanced from
    the product selector, the installed version to the fix pack
    level, and your platform, and then click Continue.
    2. Select APAR or SPR, enter JR50358, and click Continue.
    
    When you download fix packages, ensure that you also download
    the readme file for each fix. Review each readme file for
    additional installation instructions and information about the
    fix.
    

Temporary fix

Comments

APAR Information

  • APAR number

    JR50358

  • Reported component name

    BPM STANDARD

  • Reported component ID

    5725C9500

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2014-05-28

  • Closed date

    2014-07-29

  • Last modified date

    2014-07-29

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM STANDARD

  • Fixed component ID

    5725C9500

Applicable component levels

  • R800 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
29 July 2014