← Advisories

IBM Cognos Business Intelligence Developer 10.2.1 (backURL) Open Redirect

Low

Advisory ID

ZSL-2015-5244

Release Date

24 May 2015

Vendor

IBM Corporation - http://www.ibm.com

Affected Version

10.2.1 (Build 10.2.5000.267) Trial

CVE

N/A

Tested On

Microsoft Windows 7 Ultimate SP1 (EN), Apache-Coyote/1.1, Apache Tomcat/6.0.35

Summary

IBM Cognos Business Intelligence is a web-based, integrated business intelligence suite by IBM. It provides a toolset for reporting, analysis, scorecarding, and monitoring of events and metrics. The software consists of several components to meet the different information requirements in a company.

Description

Input passed via the 'backURL' GET parameter in '/p2pd/servlet/dispatch' is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.

Proof of Concept

cognos_url.txtTXT

Disclosure Timeline

22.04.2015Vulnerability discovered.

23.04.2015Vendor contacted.

23.04.2015Vendor sends instructions for reporting security vulnerability.

28.04.2015Submitted details to vendor thru online form.

29.04.2015Vendor confirms submission assigning internal PSIRT Advisory ID 3198.

05.05.2015Asked vendor for status update.

05.05.2015Vendor is currently analyzing the issue.

11.05.2015Working with the vendor.

15.05.2015Vendor states that the issue is present only if the CAF (Cognos Application Firewall) is disabled (disabled by default in trial version).

15.05.2015Asked vendor to reconsider to create input validation strategy like whitelisting because application firewalls might not cover all vectors.

18.05.2015Vendor does not consider this an issue.

19.05.2015Mutual agreement with the vendor.

28.05.2015Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://packetstormsecurity.com/files/132078

[2]http://www.securityfocus.com/bid/74907

Changelog

28.05.2015Initial release

01.06.2015Added reference [1] and [2]