Author Message
WilsonYu
Joined: Nov 6, 2013
Messages: 3946
Offline
If you have security concern with the CSRF and XSS attacks on the RuntimeConfig Admin app running on Tomcat, you should apply the updated version of the web app attached in this post. To apply, please follow the steps below:

1. Remove the existing Runtimeconfig app from the app server.
2. Re-redeploy runtimeconfig.war from this attachment.
Filename runtimeconfig.war [Disk] Download
Description No description given
Filesize 4374 Kbytes
Downloaded: 5657 time(s)

gprada.avaya.com
Joined: Mar 20, 2018
Messages: 6
Offline
Hi Wilson,

Would you be so kind to provide the runtimeconfig fixed version for WebSphere? We are currently facing this problem. In case you need it here is our dev environment info:

OD 7.2.0.0904
JDK 1.8.0_172

Thanks!
WilsonYu
Joined: Nov 6, 2013
Messages: 3946
Offline
We don't intend to provide a solution for Websphere. It is NOT feasible to do so. Websphere always has its own way of doing things. Keep in mind that this is just a regular application running on the platform. Customers should follow Websphere's guidelines or methods on how to security them.
MikiY
Joined: Jan 6, 2014
Messages: 41
Offline
Hi Wilson,

We downloaded this version of the runtimeconfig, but we are still seeing bunch of vulnerabilities. Can you provide a more recent version that has the additional fixes? Below is the list of various issues.

Cross-Site Scripting: Reflected
Password Management: Insecure Submission
Cross-Site Scripting: DOM
Password Management: Password in HTML Form
Server-Side Request Forgery
Privacy Violation: Autocomplete
System Information Leak: External
Portability Flaw: Locale Dependent Comparison

Thanks,
Miki
Go to:   
Mobile view