IBM Support

IV84201: NETCOOL IMPACT V7.1.0.2 VULNERABILITY CROSS FRAME SCRIPTING - VERSION 2 (XFSV2) - POST AUTHENTICATION

Direct links to fixes

7.1.0-TIV-NCI-ZLINUX-FP0006
7.1.0-TIV-NCI-WINDOWS-FP0006
7.1.0-TIV-NCI-SOLARIS-FP0006
7.1.0-TIV-NCI-LINUX-FP0006
7.1.0-TIV-NCI-AIX-FP0006
IBM Tivoli Netcool/Impact V7.1.0 Fix Pack 6(7.1.0-TIV-NCI-FP0006)
IBM Tivoli Netcool/Impact V7.1.0 Fix Pack 7(7.1.0-TIV-NCI-FP0007)
IBM Tivoli Netcool/Impact V7.1.0 Fix Pack 8(7.1.0-TIV-NCI-FP0008)
IBM Tivoli Netcool/Impact V7.1.0 Fix Pack 9(7.1.0-TIV-NCI-FP0009)
IBM Tivoli Netcool/Impact V7.1.0 Fix Pack 10(7.1.0-TIV-NCI-FP0010)
IBM Tivoli Netcool/Impact V7.1.0 Fix Pack 11(7.1.0-TIV-NCI-FP0011)
IBM Tivoli Netcool/Impact V7.1.0 Fix Pack 12 (7.1.0-TIV-NCI-FP0012)
IBM Tivoli Netcool/Impact V7.1.0 Fix Pack 13 (7.1.0-TIV-NCI-FP0013)

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The following vulnerability has been detected.
Pages on the application are allowed to be captured within a
frame from another server. This can be exploited by attackers
by sending a forged link to a user. The link will be to a
malicious page with this application captured in a frame. All
activity by the user can be monitored and recorded by the
attacker allowing the compromise of the username, password, or
any other sensitive input the user enters.
Earlier versions of Cross Frame scripting could be prevented by
a frame busting script like the following.
However, the new variations of the finding are able to frame
the page even when the following fix is applied making the
following script insufficient.A page vulnerable to XFSv2 also
leads to other vulnerabilities such as clickjacking.
Clickjacking takes the form of embedded code or script that can
execute without the user's knowledge, such as clicking on a
button that appears to perform another function.
For more on clickjacking, please visit http://en.wikipedia.
org/wiki/Clickjacking
Affected Hosts/URLs:
https://FQDN:16311/documenter/WebDoc.jsp?clusterName=NCICLUSTER

Local fix

  • There are two options to fix the issue.
1.  frame buster javascript as customer security team mentioned
2.  X-Frame-Options

We suggest X-Frame-Options since it deploys the browser's
in-built click jacking protection which would be more reliable
then any client-side frame buster javascript.  X-Frame-Options
is supported by almost all web browsers, IE8, Firefox 3.6.9 and
above.

Browser Support details, please check
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_
Sheet #Other_Cheatsheets

You can implement it as follow steps.
Edit webDoc.jsp under
$IMPACT_HOME/wlp/usr/servers/ImpactUI/apps/ImpactUI.ear/document
er.war/W
ebDoc.jsp
Add a line between line 48 and line49.
line 48   <% HtmlUtils.setResponseHeaders(response,
"text/html"); %>
line 49   <% request.setAttribute("sourcePage",
request.getRequestURI()); %>

new file will look as follow, save it.
line 48   <% HtmlUtils.setResponseHeaders(response,
"text/html"); %>
line 49   <% response.setHeader("X-Frame-Options",
"SAMEORIGIN"); %>
line 50   <% request.setAttribute("sourcePage",
request.getRequestURI()); %>

Problem summary

  • ****************************************************************
* USERS AFFECTED:                                              *
* All Impact Users                                             *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* Pages on the application are allowed to be captured within a *
* frame from another server. This can be exploited by          *
* attackers by sending a forged link to a user.                *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************

Problem conclusion

  • set X-Frame-Options since it deploys the browser's in-built
click jacking protection

The fix for this APAR is contained in the following
maintenance packages:
| Fix Pack | 7.1.0-TIV-NCI-FP0006

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IV84201
    • 

  • Reported component name
    NC/IMPACT RTID
    • 

  • Reported component ID
    5724O5900
    • 

  • Reported release
    710
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2016-04-28
    • 

  • Closed date
    2016-05-18
    • 

  • Last modified date
    2024-06-11
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Modules/Macros


    

  • UNKNOWN

    



Fix information


    

  • Fixed component name
    NC/IMPACT RTID
    • 

  • Fixed component ID
    5724O5900
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSSHYH","label":"Tivoli Netcool\/Impact"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"710","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            12 June 2024
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback