APAR status
Closed as program error.
Error description
Vulnerability issue: session id can be stolen due to http's get method
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * **************************************************************** * PROBLEM DESCRIPTION: * **************************************************************** * RECOMMENDATION: * **************************************************************** Vulnerability issue: session id can be stolen due to http's get method
Problem conclusion
The redirect from the authentication servlet to the PHP now uses POST instead of GET, preventing the token from ever appearing in the URL.
Temporary fix
Comments
APAR Information
APAR number
PM29655
Reported component name
BUILD FORGE SE
Reported component ID
5724S2705
Reported release
710
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2010-12-29
Closed date
2011-04-08
Last modified date
2011-04-08
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
BUILD FORGE SE
Fixed component ID
5724S2705
Applicable component levels
R710 PSN
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSB2MV","label":"Rational Build Forge"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
08 April 2011