APAR status
Closed as program error.
Error description
The client as able to cross-scrip their application despite enabling the security for cross-scripting.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * All HATS users * **************************************************************** * PROBLEM DESCRIPTION: * * While running a HATS application, users are able to * * successfully inject a malicious script through the input * * parameters * **************************************************************** * RECOMMENDATION: * **************************************************************** 1. Create a HATS web project 2. While running the project in the browser, try to inject a malicious script inside a query parameter 3. The script executes successfully in the browser!
Problem conclusion
hatsruntime.jar code changes have been made to sanitize the malicious code to address the Cross-site scripting attack.
Temporary fix
Comments
APAR Information
APAR number
IT39976
Reported component name
RATL HATS FOR 5
Reported component ID
5724U6800
Reported release
960
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-02-15
Closed date
2022-08-25
Last modified date
2022-08-25
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
HATS
Fix information
Fixed component name
RATL HATS FOR 5
Fixed component ID
5724U6800
Applicable component levels
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSXKAY","label":"Rational Host Access Transformation Services"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"960","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]
Document Information
Modified date:
25 August 2022