| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <201506040315.t543FrlD029162@sf01web2.securityfocus.com>
Date: Thu, 4 Jun 2015 03:15:53 GMT
From: jerold@...d00sec.com
To: bugtraq@...urityfocus.com
Subject: IBM Watson (Cognea) - XSS and Redirect Vulnerabilities
# Vulnerability type: Cross-site Scripting & Redirect
# Vendor: www.ibm.com
# Product: IBM Watson Cloud Computing SaaS (Cognea)
# Product Link: http://www.ibm.com/smarterplanet/us/en/ibmwatson/
# Credit: Jerold Hoong
The logout.jsp page function of the IBM Watson (Cognea) SaaS application is
vulnerable to reflected XSS and redirect attacks. The value of the Referer
HTTP header is directly referenced by the logout.jsp page and echoes the input
unmodified in to the application’s response.
# PROOF OF CONCEPT (XSS)
- Sample URL: http://127.0.0.1/test/logout.jsp
- Parameter: Referer HTTP header
- Payload: javascript:alert('XSS')//
# PROOF OF CONCEPT (Redirect)
The logout.jsp page is vulnerable to unauthorised redirects.
- Sample URL: http://127.0.0.1/test/logout.jsp
- Parameter: Referer HTTP header
- Payload: http://malicious-site.com/
# TIMELINE
- 16/04/2015: Vulnerability found
- 17/04/2015: Vendor informed
- 08/04/2015: Vendor responded and acknowledged
- 03/06/2015: Vendor fixed the issue
- 04/06/2015: Public disclosure
Powered by blists - more mailing lists