RS00810: VULNERABILITY WITH UNKNOWN ERROR CAUSE

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • It is possible to provoke an "Unknown Error" page for which RTS
    
    will show an unescaped cause message, leaving it vulnerable to
    cross site scripting.
    

Local fix

  • In content/error.jsp remove the line :
            cause="#{ErrorMessageActionBean.cause}"
    

Problem summary

  • The error message display the text passed in argument directly
    without encoding as html
    

Problem conclusion

  • change the code to encode any html string when displaying an
    error message
    

Temporary fix

Comments

APAR Information

  • APAR number

    RS00810

  • Reported component name

    WS ILOG RTS

  • Reported component ID

    5724Y0000

  • Reported release

    711

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2011-10-11

  • Closed date

    2011-10-24

  • Last modified date

    2011-10-24

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WS ILOG RTS

  • Fixed component ID

    5724Y0000

Applicable component levels

  • R711 PSN

       UP



Rate this page:

(0 users)Average rating

Document information


More support for:

WebSphere ILOG Rule Team Server

Software version:

7.1.1

Reference #:

RS00810

Modified date:

2011-10-24

Translate my page

Machine Translation

Content navigation