Why aren’t the locator fields in editable queries populated in 3.5.2?


After upgrading to TRIRIGA 3.5.2, we are facing an issue on editable queries, where the locator fields are not populating after selecting a value from the popup query. Also, it logs out after we select a value, click “OK”, and refresh. Has someone faced the same issue? Or is it a known issue?

This issue is resolved in the 3.5.2.1 Fix Pack and is now available on Fix Central. The readme file for 3.5.2.1 can be found here.

Continue reading

Getting an HTTP Error 500 when previewing BIRT form reports


I recently upgraded to TRIRIGA platform 3.5.1 and installed Eclipse Kepler 4.3.1 per the 3.5 Reporting User Guide. I can import, create and preview a query report.

But when I import and create a form report, I get an error when trying to preview using View Report as PDF. HTTP ERROR: 500 Problem accessing /viewer/preview. Reason: Server Error. Powered by Jetty. Trying to preview in Web Viewer gets the same error except: Problem accessing /viewer/frameset. I have recreated this in multiple environments, including an OOB install of TRIRIGA 3.5.1. Please advise.

If you upgrade the BIRT Designer to version 4.6 that runs with Java 8, this issue should go away. We will be updating our Support Matrix to state that Designer 4.6 is required for preview to work… Are you running the Windows operating system for your application server? If you are, you will want to apply the 3.5.1.1 Fix Pack which is available on Fix Central. It has a fix specific to BIRT and Windows OS.

Continue reading

IV85103: Cross-site scripting (XSS) vulnerability


Using the trustee account (external.trustee.02) and the image upload functionality within the Maintain User Profile page, it was possible to upload an HTML file containing JavaScript when the file was renamed to JPG.

Here are the direct links to the fix packs in Fix Central:

Moving forward, the vulnerability has been identified and resolved.

Continue reading

Why doesn’t the calendar picker work for dates past 31 Dec 2038?


When you try to use a calendar picker and the date is past 31 Dec 2038, that date is not available. It’s not possible to pick the date. The calendar picker browsing stops in December 2038.

The Dojo library timezone.js has 2038 as the maximum date. This affects any TRIRIGA environment up to 3.4.2.1. The workaround is to manually enter the date, following the correct format, taking into consideration the localization. The fix is available in Fix Pack 2 for 3.4.2, which is available in Fix Central.

[Admin: This post is related to the 08.07.15 post about APAR IV75813 where you cannot select dates past 31-Dec-2038 with the calendar picker.]

Continue reading

Security: IBM TRIRIGA Application Platform vulnerabilities & fixes


[Updated 06.15.16 to add CVE-2016-2883 (2).]

[Updated 06.10.16 to add CVE-2016-2882.]

[Updated 05.31.16 to add CVE-2016-2883 (1).]

For convenience, here are the some recent CVE IDs.

CVE ID Summary APAR
CVE-2016-0362 The IBM TRIRIGA Application Platform allows remote attackers to use one of its web services as a proxy to forward HTTP requests to other internal/external web resources.
CVE-2016-0374 The IBM TRIRIGA Application Platform builder tools are vulnerable to a privilege escalation attack that can result in a user without access having the ability to modify TRIRIGA Applications.
CVE-2016-0386 The IBM TRIRIGA Application Platform is vulnerable to cross-site request forgery (CSRF), caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious website, a remote attacker could send a malformed HTTP request. An attacker could exploit this vulnerability to perform cross-site scripting (XSS) attacks, web cache poisoning, and other malicious activities.
CVE-2016-0387 The IBM TRIRIGA Application Platform is vulnerable to cross-site scripting (XSS), caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s web browser within the security context of the hosting website, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2016-2882 The IBM TRIRIGA Application Platform could disclose some sensitive server information through URL request responses that could aid an attacker in further attacks against the system.
(1) CVE-2016-2883

(2) CVE-2016-2883

The IBM TRIRIGA Application Platform is vulnerable to cross-site scripting (XSS), caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s web browser within the security context of the hosting website, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

[Admin: This post is related to the 04.04.16 post about vulnerabilities and fixes. To see other related posts, use the Vulnerability tag.]

Continue reading

How do you download an IBM TRIRIGA platform fix pack?


How do you download an IBM TRIRIGA platform fix pack? I need to find and download the most recent fix pack (FP) file for my current release and cannot find information on how to do that.

Follow these steps for downloading an IBM TRIRIGA platform fix pack from the IBM official site:

  • (1) Go to the IBM Fix Central site.
  • (2) For the Product Selector field, enter IBM TRIRIGA Application Platform.
  • (3) For the Installed Version field, select the IBM TRIRIGA Fix Pack version you want to download from the list presented.
  • (4) For the Platform field, select from the list, the Operating System (OS) you use in your system, so that the correct software binary code regarding this OS is selected for being downloaded. Click on the Continue button after that.
  • (5) On the “Identify fixes” page, click on the Continue button.
  • (6) On the “Select fixes” page, checkmark the files you want to download. Make sure to checkmark the README file for the Fix Pack version, since it will include information for that release along with the installation instructions. Once you have checkmarked the items on that list, click on the Continue button again.
  • (7) Provide your credential information (user/password) for the “Sign in to IBM” page.
  • (8) On the “Download options” page, select the download option you want to use, and then click on the Continue button again.
  • (9) Based on your download option, a page will be displayed so that you can select and download the files. For the example, you need to click on the links to open the Explorer window requesting you to select the local folder where you want to keep the file.
  • (10) Unzip the zipped downloaded files and follow the instructions on the README file to install the IBM TRIRIGA platform fix pack.

Continue reading

Where is the Real Estate Lease Abstract offline form in TRIRIGA?


A common question about new TRIRIGA installations is: Where is the Real Estate Lease Abstract offline form, since it is not in the Tools > Data Utilities > Lease Abstract Offline area? Why is that so?

When you have a new install and you go to the user documentation to follow the instructions on how to use the Real Estate Lease Abstract offline form, the instructions point out that you must navigate to Tools > Data Utilities > Lease Abstract Offline and work with the Real Estate Lease Abstract offline form there. But when you do so, the list is empty. You might ask: Is the offline form in a separate download in IBM Passport Advantage or IBM Fix Central?

Not really. The offline form is indeed in TRIRIGA, but in another place. The form must be downloaded, the spreadsheet populated, and the content uploaded, as follows:

  • 1. Navigate to Tools > System Setup > Integration > Offline Content.
  • 2. Download the triRELeaseAbstract form. We also have one form for each language we support.
  • 3. Fill out the form (General section: Units sub-section, Premise Location table; Rent section: Rent Schedules table; and all mandatory data).
  • 4. Save the form on your local machine.
  • 5. Upload the form by going to Tools > Data Utilities > Lease Abstract Offline. Click “Add” to add the form and upload your content.

There you go, a fresh new form out of the oven for you.

Continue reading