APAR status
Closed as program error.
Error description
Customer reported that the CSRF Attack prevention/XSS Security p policy supported in HATS is not working after using the penetration Burp Suite tool. With IBM HATS 9.7.0.2 they are seeing a session hijacking issue. The customer was able to change the JSESSIONID for user1 and user2. They then tried to access the HATS application and encountered HATS1005 error message however by modifying the URL they were able to proceed to the next screen.
Local fix
Permanent fix will be added to the next HATS fix pack level.
Problem summary
**************************************************************** * USERS AFFECTED: * * All HATS users * **************************************************************** * PROBLEM DESCRIPTION: * * The session can be hijacked when the cookie value is used in * * another browser * **************************************************************** * RECOMMENDATION: * **************************************************************** Step to recreate the problem: 1. Create a web project and run on the Server 2. Login to the application and copy the cookie value using the developer tools 3. Open the login page in a new browser and replace the copied cookie value in this browser 4. The session from the previous browser gets continued in the new browser
Problem conclusion
Code changes have been made to address this issue in HATS
Temporary fix
Comments
APAR Information
APAR number
IT41537
Reported component name
RATL HATS FOR 5
Reported component ID
5724U6800
Reported release
970
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-07-18
Closed date
2022-08-25
Last modified date
2022-09-09
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
HATS
Fix information
Fixed component name
RATL HATS FOR 5
Fixed component ID
5724U6800
Applicable component levels
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSXKAY","label":"Rational Host Access Transformation Services"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"970","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]
Document Information
Modified date:
09 September 2022