IBM Support

PH32170: RESOURCES ACCESSIBLE THROUGH FORCED BROWSING

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • The application fails to properly restrict access to a URL or
    resource. The users are able to navigate directly to
    unauthorized resources as long as they know the resource's path
    and name.
    
    In one use case it was found that an unauthorized user is able
    to access DefaultTemplate.xls
    
    
    
    Workaround:
    
    none
    
    
    Prerequisites:
    
    OP 8.1.0.1 installed
    
    Create Users ?
    
    1.	Login to OP Standard UI as an Administrator
    2.	Go to menu ? Administration > Users
    3.	Click on Create User
    4.	Enter a username(for example, ormmanager) and fill all the
    mandatory fields and click next.
    5.	Enter password and fill all the mandatory fields and click
    next.
    6.	Select the option ? Assign from scratch and click next.
    7.	In the list of allowed profiles, select the profile ?
    OpenPages Platform 3 and click Next.
    8.	Click on Associated Groups.
    9.	Click on the Search tab and search for OPAdministrators group
    and select it.
    10.	Click on Next and Next again and click on Finish.
    11.	Create another new user(ormmanager2) using the same above
    steps except that assign another Profile and NOT ? OpenPages
    Platform 3 as in Step 7.
    12.	Also, the second new user should not be part of
    OPAdministrators group unlike in Step 9.
    
    
    Steps to Reproduce:
    
    1.	Open any supported browser and log into OpenPages Standard UI
    using user as ?ormmanager? created in Step 4 above.
    2.	Go to menu ? Administration > Manage System Files > Files
    3.	Change the view to Filtered List View and in the Filter box
    type % to see Default Template.xls
    4.	Now copy the browser URL and logout.
    5.	Login with another user ? ?ormmanager2?
    6.	After login, past the copied URL from Step 4 and hit Enter.
    7.	You will see that the user ?ormmanager2? can see the file ?
    DefaulTemplate.xls and the user can even download the file by
    clicking on the view file.
    8.	User ?ormmanager2? is not authorized to access this file but
    is able to access it if they know the resource path.
    
    
    
    
    
    
    
    Error Message:
    
    n/a
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * OpenPages Users                                              *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * RESOURCES ACCESSIBLE THROUGH FORCED BROWSING                 *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Customers should download OpenPages with Watson 8.2 Fix Pack *
    * 2 (8.2.0.2). See the following document for details on       *
    * obtaining OpenPages 8.2.0.2:                                 *
    * https://www.ibm.com/support/pages/openpages-watson-82-fix-pa *
    * ck-2                                                         *
    ****************************************************************
    

Problem conclusion

  • Some system files (like the FastMap template) need to be
    accessible via ACL for users in order for functionality to work.
    However, the files are not intended to be viewable/editable by
    the end user.
    
    We added checks for admin access and for access to the object
    type through the profile when displaying in a task view or
    downloading a file, as mentioned in the APAR.
    
    Customers should download OpenPages with Watson 8.2 Fix Pack 2
    (8.2.0.2). See the following document for details on obtaining
    OpenPages 8.2.0.2:
    https://www.ibm.com/support/pages/openpages-watson-82-fix-pack-2
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH32170

  • Reported component name

    OPENPAGES GRC

  • Reported component ID

    5725D5100

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-11-30

  • Closed date

    2021-04-02

  • Last modified date

    2021-04-02

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    OPENPAGES GRC

  • Fixed component ID

    5725D5100

Applicable component levels

[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFUEU","label":"IBM OpenPages with Watson"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"800"}]

Document Information

Modified date:
03 April 2021