IBM Watson (Cognea) - XSS and Redirect Vulnerabilities

2015-06-08T00:00:00
ID SECURITYVULNS:DOC:32178
Type securityvulns
Reporter Securityvulns
Modified 2015-06-08T00:00:00

Description

Vulnerability type: Cross-site Scripting & Redirect

Vendor: www.ibm.com

Product: IBM Watson Cloud Computing SaaS (Cognea)

Product Link: http://www.ibm.com/smarterplanet/us/en/ibmwatson/

Credit: Jerold Hoong

The logout.jsp page function of the IBM Watson (Cognea) SaaS application is vulnerable to reflected XSS and redirect attacks. The value of the Referer HTTP header is directly referenced by the logout.jsp page and echoes the input unmodified in to the application’s response.

PROOF OF CONCEPT (XSS)

  • Sample URL: http://127.0.0.1/test/logout.jsp
  • Parameter: Referer HTTP header
  • Payload: javascript:alert('XSS')//

PROOF OF CONCEPT (Redirect)

The logout.jsp page is vulnerable to unauthorised redirects.

  • Sample URL: http://127.0.0.1/test/logout.jsp
  • Parameter: Referer HTTP header
  • Payload: http://malicious-site.com/

TIMELINE

  • 16/04/2015: Vulnerability found
  • 17/04/2015: Vendor informed
  • 08/04/2015: Vendor responded and acknowledged
  • 03/06/2015: Vendor fixed the issue
  • 04/06/2015: Public disclosure