Skip to Main Content
IBM Sterling


This portal is to open public enhancement requests for IBM Sterling products and services. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Not under consideration
Categories Security
Created by Guest
Created on Apr 5, 2024

Hide UniqueID Token in GET parameter for MyFilegateway

Situation:

Using MyFilegateaway the uniqueId token is passed as parameters in the URL in GET/POST Request Methods


Example:

https://mft-nala-val.roche.com/myfilegateway/MyFGUpload.do?uniqueId=-1ccob8032vnyn


This value could be used accessing to Browser History of using a sniffer in the network.


Proposal:

Store the UniqueID token as Header parameter inside of the request or store the unique ID in session storage so it will be not accesible.


See: https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html



What is your industry? Healthcare
How will this idea be used?
  • Our company are bonded to Regulatory and several Penetration Tests are run to our Services where this finding related to the UniqueID appears always.

  • Management of secrets as Tokens or passwords is a important part of the security plan.

  • Admin
    Mark Allen
    Reply
    |
    Oct 23, 2024

    I'm going to close this idea as it's been a while without a response. If this is an error, please open a new idea.

    Thank you for taking the time to provide your ideas to IBM. We truly value our relationship with you and appreciate your willingness to share details about your experience, your recommendations, and ideas.

  • Admin
    Mark Allen
    Reply
    |
    Jul 31, 2024

    Thank you for taking the time to provide your ideas to IBM. I truly value our relationship with you and appreciate your willingness to share details about your experience, your recommendations and ideas.

    I need a little more information to understand your idea. What is the security risk and severity that this issue is causing?


    I'm looking forward to your response. Once I can develop a clear picture of your request, I'll be able to let you know if we can add your idea to our future offering roadmap.

  • Admin
    Mark Allen
    Reply
    |
    Jul 24, 2024

    Thank you for taking the time to provide your ideas to IBM. We truly value our relationship with you and appreciate your willingness to share details about your experience, your recommendations, and ideas.

    We are currently reviewing this request with our technical team and will update the status once our analysis is complete.