Security penetration testing determined that sending certain parameters to IDM results in IDM throwing a 500 error and displaying a stack trace. For example, a request to
https://idm.test.com/iam/im/identityEnv/ui7/index.jsp?javax.faces.ViewState=abcdefg
displays the following error:
Exception during page display: javax.servlet.jsp.JspException: javax.crypto.IllegalBlockSizeException: Input length must be multiple of 16 when decrypting with padded cipher at com.netegrity.taglib.skin.TagUtilLocal.jsfProcessing(TagUtilLocal.java:447)
...
IM 14.4 SP2
The fix for 14.4 SP2 (non-vAPP), in the form of a new Error 500 page, prevents the user from seeing a code stack trace, instead replacing it with a generic "Internal Server Error."
The fix is expected to be included in 14.5 SP2. Please contact Support for the hotfix for 14.4.2 (DE605511_IM1442NONVapp_HF.zip) or other versions.