APAR status
Closed as program error.
Error description
There is a cross-site scripting vulnerability at the following URL: https://158.98.108.83:9443/TbsmWebConsole/help/en/jsp/ apwc_win_main.jsp?skin= Cross-site scripting occurs when an attacker embeds malicious characters into dynamically generated web pages displaying input which is not properly validated. The skin parameter contains the cross-site scripting vector.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All TBSM 3.1 Users. * **************************************************************** * PROBLEM DESCRIPTION: There is potential Cross Site * * Scripting vulnerability that might * * allow someone to form a malicious URL * * link to the TBSM Web Console. The * * vulnerability would be fairly * * difficult to exploit - it would require * * knowledge of the server system and * * would require convincing actual * * authorized users to access the system * * via a link that has been modified to * * contain malicious code that might * * then compromise security. The * * vulnerability only exists on links * * directly to the English help panels. * **************************************************************** * RECOMMENDATION: * **************************************************************** The English help panels were providing an unused ability to modify the appearance slightly via a passed-in parameter. There was insufficient validation being performed on the provided value of this parameter prior to usage which could potentially allow malicious code to be returned and executed by a user's browser.
Problem conclusion
The code which processes the optional help parameter now performs additional validation that prevents any malicious code from being interjected and executed. The fix for this APAR is contained in the following maintenance packages: | LA interim fix | 3.1.0.1-TIV-BSM-LA0112 | LA interim fix | 3.1.0.1-TIV-BSM-LA0116
Temporary fix
Comments
APAR Information
APAR number
OA14904
Reported component name
TIVOLI BSM OS/
Reported component ID
5698BSM00
Reported release
31D
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2006-01-16
Closed date
2006-03-17
Last modified date
2006-03-17
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TIVOLI BSM OS/
Fixed component ID
5698BSM00
Applicable component levels
R20D PSN
UP
R21D PSN
UP
R21E PSN
UP
R31D PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSTG3D","label":"Tivoli Business Systems Manager"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"31D","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
17 March 2006