IBM Support

HD71425: SECURITY HOLE

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Security Hole.
    Scenario:
    1. Can use SmDemo.
    2. Create Group1 with following permissions:
    Projects - Full permissions.
    Documents - Full permission.
    EXCEPT: Deny View operation on Released and
    Obsolete states.
    Links Classes - Full permissions.
    3. Create User1 and assign with Group1.
    4. Login ST with User1.
    5. Create a Document object with a file and
    Release it.
    6. On the Released Document, open Viewer tab.
    ==> OK: Get message on Viewer tab:
    Unauthorized operation. An unauthorized attempt
    was made to perform 'View' operation...
    7. Now initiate a Process on this Document.
    8. Open the Workflow Process view.
    9. Select the Document object in the Flow Process
    and open Viewer tab.
    ==> KO: Viewer is opened. File can be viewed.
    Expected: Viewer should not be authorized.
    Behavior should be consistence in Document Tree
    view and in Flow Process View.
    .
    

Local fix

Problem summary

  • Security Hole
    Security Hole.
    Scenario:
    1. Can use SmDemo.
    2. Create Group1 with following permissions:
    Projects - Full permissions.
    Documents - Full permission.
    EXCEPT: Deny View operation on Released and
    Obsolete states.
    Links Classes - Full permissions.
    3. Create User1 and assign with Group1.
    4. Login ST with User1.
    5. Create a Document object with a file and
    Release it.
    6. On the Released Document, open Viewer tab.
    ==> OK: Get message on Viewer tab:
    Unauthorized operation. An unauthorized attempt
    was made to perform 'View' operation...
    7. Now initiate a Process on this Document.
    8. Open the Workflow Process view.
    9. Select the Document object in the Flow Process
    and open Viewer tab.
    ==> KO: Viewer is opened. File can be viewed.
    Expected: Viewer should not be authorized.
    Behavior should be consistence in Document Tree
    view and in Flow Process View.
    .
    

Problem conclusion

  • THIS PROBLEM WILL BE FIXED ON SMARTEAM
    VERSION 5 RELEASE 19 SP01 LEVEL.
    Default TEXTAREA value goes here
    .
    

Temporary fix

Comments

APAR Information

  • APAR number

    HD71425

  • Reported component name

    SMARTEAM NT>XP

  • Reported component ID

    569199970

  • Reported release

    517

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2008-02-11

  • Closed date

    2008-05-15

  • Last modified date

    2008-06-02

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    SMARTEAM NT>XP

  • Fixed component ID

    569199970

Applicable component levels

  • R518 PSN SP51805

       UP08/06/02 I 1000

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS2S3T","label":"ENOVIA SmarTeam V5"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"517","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
02 June 2008