IV82433: Sensitive information displayed in error message


Many times, the TRIRIGA application gives information about itself, without really intending to do so. With HTTP requests/responses giving out server information depending on the input data, these are all examples of such information leakage. Here’s one example of several that shows this issue:

  • URL: xxxx/pc/birtviewer.query?tririgasecuritytoken=bnFaJRx8SYuUdQyCmYxyR2F&_queryId=133972
  • Parameter: _queryId
  • Attack value: 13397a

Steps to replicate:

  • 1. Login to the application.
  • 2. Navigate to the Home portal.
  • 3. Click on Financial Reporting > Balance Sheet Accounting Report > Balance Sheet > Future Accounting.
  • 4. Intercept the request and apply the attack value in the mentioned parameter of the target URL: xxxx/pc/birtviewer.query?tririgasecuritytoken=bnFaJRx8SYuUdQyCmYxyR2F&_queryId=133972

This happens at various other spots in the application.

Some configured servlets would throw an exception with the full stack trace to an end user. An issue has been resolved where, in some cases, an error message would display a Java stack trace.

Continue reading

One thought on “IV82433: Sensitive information displayed in error message

  1. Pingback: Security: IBM TRIRIGA Application Platform vulnerabilities & fixes | TRIRIGAFEEDIA

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s