Metastorm BPM 9.0.3 Hotfix 3 (9.0.3.3)

Joe Smith

Product:                                Metastorm BPM®

Release:                                9.0 SR3

Hotfix:                                    9.0.3.3**** 

Affected Components:     Metastorm Process Designer, Metastorm Web Client

 

Purpose of the hotfix:

 

This hotfix addresses the following issues:

 

• When the BPM project size increases, performance of adding objects to a process in the Designer deteriorates. (Metastorm\# SR-02232011-0023, DEF16709) 
• When a folder lock occurs, an incorrect error message, “Exception of type 'Metastorm.Engine.Interface.FolderLockedException' was thrown” is displayed instead of the expected error message, “Folder is locked by for ”. (Metastorm\# SR-03072011-0014, SR-03292011-0008, DEF16550) 
• When caching is enabled and a folder is reopened, previously selected drop-down values appear blank in the Web Client after applying 9.0.3.2 (Metastorm\# SR-03232011-0020, DEF16730) 
• Auto complete option is enabled on the Web Client login page. This can lead to security issues. The auto complete feature has been disabled on the login page. (Metastorm\# SR-03292011-0009, DEF16746) 
• SQL injection is possible by injecting custom SQL into either the WhereFilter or SortColumn value in the To Do list, Watch list, and Blank Forms cookies or by modifying the POST request. (Metastorm\# SR-03292011-0007, DEF16785) 
• The HTTPOnly flag is not enabled for server-side cookies having session parameters when the Web Client runs in secure mode (RunInSecureMode set to 1).

 

To overcome the issue, the following cookies having session parameters have 'HTTPOnly' flag enabled:

 

• LastNavLocation
• BlankFormListPart
• WatchListPart
• AdminFormListPart
• ToDoListPart
• Metastorm+BPM+ServerSessionId
• MetastormBPMAuth

 

(Metastorm\# SR-03292011-0003, DEF16839)

 

• After opening a Form, entering scripts in memo or text fields and submitting will result in scripts being executed.

(Metastorm\# SR-03292011-0005, DEF16871)

 

• Verbose error messages are displayed in the Web Client, such as, “Exception 'Incorrect syntax near '='.' occurred when attempting to 'Execute MBO non-query'”, instead of a generic meaningful error message. (Metastorm\# SR-03292011-0008, DEF16875) 

 

Implications of the hotfix and other considerations:

 

• Metastorm\# SR-03292011-0004, SR-03292011-0005, SR-03292011-0003, SR-03292011-0007, SR-03292011-0009, DEF12998, DEF16878, DEF16839, DEF16785, DEF16746

 

The security of the Web Client has been enhanced. Options are available to set the secure attribute of cookies during an encrypted session and address issues of cross-site scripting and SQL injection.

 

The enhanced security provided by this hotfix must be enabled in %MBPM%\\Web\\web.config by setting either the httpOnlyCookies or requireSSL attribute to “true”:

 

 

httpOnlyCookies – If this attribute value is set to true, then all server-side cookies will be created with the HttpOnly flag to disable browser script access.

 

requireSSL – If this attribute value is set to true, then all cookies will be created with the Secure flag to force them to only run over a secure channel (SSL). Also, ensure that all requests to the Metastorm BPM web application use the HTTPS protocol.

 

Note: The above configuration setting also secures the cookies. For more details, click the following link: http://msdn.microsoft.com/en-us/library/ms228262.aspx

 

• Metastorm\# SR-03292011-0005, DEF16871

 

The enhanced security in Metastorm BPM v9 Web Client provided by this hotfix introduces functionality to sanitize the user input data to the Metastorm BPM v9 Engine Database.

Optionally, the user input sanitization can be disabled when the Web Client is running in

secure mode (httpOnlyCookies and/or requireSSL is set to true). This is controlled by the following setting in the %MBPM%\\Web\\web.config file:

 

 

The setting value="0" disables sanitization. By default, sanitization is switched on when secure mode is enabled.

 

The Microsoft Anti-Cross Site Scripting Library V4.0 is utilized to allow only characters from the safe list (also know as "white list") defined in that library. For more details, click the following link:

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=f4cd231b-7e06-445b-bec7-343e5884e651

 

It is the responsibility of the developer to ensure that no unsantized external data is entered into Metastorm BPM database via any other applications.

 

• Metastorm\# SR-02022011-0004, SR-03312011-0007, DEF16349

 

Unable to open Designer after applying the hotfix on a system with ProVision and BPM->ProVision Connector.

 

To work around the issue, edit Designer.exe.config and PVBpmConverter.exe.config by

replacing the following code:

 

 

with the following code: