Fixes are available
IBM MobileFirst Platform Foundation Interim Fix README for 7.1
IBM MobileFirst Platform Foundation Interim Fix README for 7.0
IBM MobileFirst Platform Foundation Interim Fix README for 6.3
IBM Worklight Interim Fix README for 6.2.0.1
IBM Worklight Interim Fix README for 6.1.0.2
IBM Worklight Interim Fix README for 6.0.0.2
APAR status
Closed as program error.
Error description
MobileFirst Platform Foundation applications that use the Cordova File-Transfer Plugin can have the HTTP headers set by that plugin be manipulated by the filename being uploaded. This allows for for cookies to be forged by the application, or for the file payload to be replaced in some situations. Remotely hosted applications and applications using the Cordova File-Transfer plugin to communicate to a third party that allow the user to manually enter the filename are especially vulnerable to this issue. If the MobileFirst Platform Foundation application is using Mobilefirst Platform APIs for all communication to do backend services to do file transfers, then there is no vulnerability to the application. MobileFirst Platform APIs provide secure communication, so therefore not affected by this vulnerability.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * Hybrid applications that use the Cordova File-Transfer * * Plugin for Android. * **************************************************************** * PROBLEM DESCRIPTION: * * HTTP headers that are set by the Cordova File-Transfer * * plugin can be manipulated by the filename of the file being * * uploaded. Any characters could be passed in for the * * filename, including non-ASCII text characters. This allows * * for cookies to be forged by the application, or for the file * * payload to be replaced in some situations. * * * * The solution is to restrict the characters to certain ASCII * * text characters. The upload should fail if non-ASCII text * * characters are entered, thus avoiding the vulnerability. * **************************************************************** * RECOMMENDATION: * * - * ****************************************************************
Problem conclusion
Restricting the characters of the filename will not allow cookies to be created or the file payload to be replaced or manipulated, making it safe to upload files. After installing the iFix, rebuild the Android application.
Temporary fix
Comments
APAR Information
APAR number
PI47658
Reported component name
MFPF/WORKLIGHT
Reported component ID
5725I4301
Reported release
505
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2015-08-26
Closed date
2015-10-08
Last modified date
2015-10-08
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
MFPF/WORKLIGHT
Fixed component ID
5725I4301
Applicable component levels
R505 PSY
UP
R506 PSY
UP
R600 PSY
UP
R610 PSY
UP
R620 PSY
UP
R630 PSY
UP
R700 PSY
UP
R710 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSZH4A","label":"IBM Worklight"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"505","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
17 October 2021