IBM Support

IC97568: (CLIENT) HTTP OPTION - CROSS-FRAME SCRIPTING VULNERABILITY

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • 1) HIGH - Cross-Frame Scripting (11293)
CWE: 352 Kingdom: Environment

We need to include the X-FRAME-OPTIONS header with the
SAMEORIGIN value to mitigate this problem.

Remediation Steps (from IBM's AppScan output from RTC367009):
It is recommended that application pages be configured to
prevent easy rendering within 3rd party HTML frames. Currently,
the best solution for addressing this flaw is to use the
X-FRAME-OPTIONS header. This header allows a site to control
whether its content can be within a frame. There are two
settings to this header, DENY blocks the content from being in
a frame and SAMEORIGIN only allows the content to be framed by
pages within the same origin. Most modern browsers support
this feature; however check the Browser Security Handbook for
the most up-to-date list
(http://code.google.com/p/browsersec/).

If the web application must support older web browsers, consider
supplementing X-FRAME-OPTIONS with a JavaScript "Framekiller"
routine. This JavaScript code checks to ensure the page is not
included within an HTML frame and should be included by all
application pages. In the event that the presence of a
frame is detected, the JavaScript routine will immediately
break out of the parent frame. The following is an example of a
generic Framekiller JavaScript routine:
<script>if(top != self)
top.location.replace(self.location.href);
</script>

2) MEDIUM - Script Directory Check (4731)
  CWE: 284,200 Kingdom: Environment
  Page: /cehttp/servlet/MailboxServlet

The Customer's example shows a logon request and a successful
logon response.  The dialog in the summary says,  "A directory
was discovered that contains an object referenced in a post
request or query string, and which has a name that could easily
be guessed by an attacker."

Local fix

  • STRRTC - 399158
RJ/RJ
Circumvention:
Update to latest maintenance for HTTP Option

Problem summary

  • C:E HTTP can potentially be executed from another frame,
allowing an attacker to steal sensitive information.

Problem conclusion

  • Added logic to ensure that the application can only be executed
 within the current source frame.

Temporary fix

  • Added logic to ensure that the application can only be executed
within the current source frame

Comments

  • 



APAR Information




    

  • APAR number
    IC97568
    • 

  • Reported component name
    STR CON ENT HTT
    • 

  • Reported component ID
    5725D0102
    • 

  • Reported release
    132
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2013-11-11
    • 

  • Closed date
    2013-12-16
    • 

  • Last modified date
    2013-12-16
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    STR CON ENT HTT
    • 

  • Fixed component ID
    5725D0102
    • 



Applicable component levels


    

  • R140  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFVK3","label":"IBM Sterling Connect:Enterprise for UNIX"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"132","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            24 September 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback