Changing functionality in TRIRIGA to fix security vulnerabilities


In this day and age, security is a very hot topic. As soon as one vulnerability is addressed and mitigated, another one is found. It is a vicious circle of identifying and addressing vulnerabilities that does not seem to let up. In our fix pack release notes, information regarding the mitigation of vulnerabilities that were addressed without an APAR is listed. And sometimes, a vulnerability is addressed as an APAR.

The reason I am mentioning security vulnerabilities is that sometimes, when they are resolved, there is an impact on existing functionality, which may not always be clear. Sometimes, the result of fixing vulnerabilities can “change” functionality. As an example, in the TRIRIGA 3.5.2 release, external URL navigation items will now open in a new window to avoid cross-origin scripting vulnerabilities…

As the product develops and security vulnerabilities are found and addressed, it could mean a change in how something works. Reading the release notes can be a source of information, but it may not always be clear why something changed. We all know change is hard, especially when we are so used to it working in a certain way. I don’t know about you, but if the change was made to address a security vulnerability, I can live with that and accept the change.

[Admin: This post is related to the 04.07.17 post about APAR IV94912 where “External URL” navigation items may no longer work. To see other related posts, use the Security tag or Vulnerability tag.]

Continue reading

Security: IBM TRIRIGA Application Platform vulnerabilities & fixes


[Updated 03.29.17]

For convenience, here are the some recent CVE IDs.

CVE ID Summary APAR
CVE-2016-9737 The IBM TRIRIGA Application Platform is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the web UI, thus altering the intended functionality and potentially leading to credentials disclosure within a trusted session.
CVE-2017-1153 The IBM TRIRIGA Report Manager contains a vulnerability that could allow authenticated users to execute actions to which they do not have access.
CVE-2017-1171 The IBM TRIRIGA Application Platform contains a vulnerability that could allow authenticated users to execute application actions to which they do not have access.
CVE-2017-1180 The IBM TRIRIGA Document Manager contains a vulnerability that could allow authenticated users to execute actions to which they do not have access.

[Admin: This post is related to the 05.17.16 post and the 04.04.16 post about vulnerabilities and fixes. To see other related posts, use the Vulnerability tag.]

Continue reading

IV88702: KNOWN_REFERRER_LIST prevents download of floor plan


With IV82436, in order to prevent cross-site request forgery (CSRF), the KNOWN_REFERRER_LIST was introduced in TRIRIGAWEB.properties. However, if the KNOWN_REFERRER_LIST is set, it does not allow you to download the floor plan graphic of a location record. When you right-click the graphic, and select to export as PDF, you get an error: “Sorry, your session has either timed out or is no longer active. For security reasons you have been redirected to this page. Please sign in again to continue.” Signing back in does not start the download either.

As a temporary fix, leave the KNOWN_REFERRER_LIST blank in TRIRIGAWEB.properties. Otherwise, if the KNOWN_REFERRER_LIST is set, graphics sections will not allow exports. Moving forward, graphic sections can now be exported when the KNOWN_REFERRER_LIST property is set.

Continue reading

IV88400: Reflected cross-site scripting (XSS)


Reflected cross-site scripting (XSS) vulnerabilities stem from the data in a request being echoed unsafely into an application’s response. Attackers can construct requests which will cause JavaScript code supplied by the attacker to be executed on the user’s browser and within the context of their current session. This might mean that the attacker would have access to their session tokens, could log their keystrokes, or launch a network scan from the users browser. An attacker may exploit this vulnerability in conjunction with a cross-site request forgery (CSRF) attack, or by providing a maliciously crafted link to a user in an email, chat, or webpage.

The impact of this vulnerability is contingent upon the function of the application. In addition to session hijacking, if the application uses broadly scoped cookies, the vulnerability may lead to widespread account compromise, data loss, and potential theft. A vulnerability of this type might be leveraged in a phishing campaign to exploit the trust and goodwill that users have in Apple in order to perform malicious attacks on the user.

Multiple parameters to “WebProcess.srv” were found to be vulnerable to reflected XSS when the “objectId” and “actionId” parameters are set to “840000” and “750812”, respectively.

Continue reading

IV85103: Cross-site scripting (XSS) vulnerability


Using the trustee account (external.trustee.02) and the image upload functionality within the Maintain User Profile page, it was possible to upload an HTML file containing JavaScript when the file was renamed to JPG.

Here are the direct links to the fix packs in Fix Central:

Moving forward, the vulnerability has been identified and resolved.

Continue reading

Security: IBM TRIRIGA Application Platform vulnerabilities & fixes


[Updated 06.15.16 to add CVE-2016-2883 (2).]

[Updated 06.10.16 to add CVE-2016-2882.]

[Updated 05.31.16 to add CVE-2016-2883 (1).]

For convenience, here are the some recent CVE IDs.

CVE ID Summary APAR
CVE-2016-0362 The IBM TRIRIGA Application Platform allows remote attackers to use one of its web services as a proxy to forward HTTP requests to other internal/external web resources.
CVE-2016-0374 The IBM TRIRIGA Application Platform builder tools are vulnerable to a privilege escalation attack that can result in a user without access having the ability to modify TRIRIGA Applications.
CVE-2016-0386 The IBM TRIRIGA Application Platform is vulnerable to cross-site request forgery (CSRF), caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious website, a remote attacker could send a malformed HTTP request. An attacker could exploit this vulnerability to perform cross-site scripting (XSS) attacks, web cache poisoning, and other malicious activities.
CVE-2016-0387 The IBM TRIRIGA Application Platform is vulnerable to cross-site scripting (XSS), caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s web browser within the security context of the hosting website, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2016-2882 The IBM TRIRIGA Application Platform could disclose some sensitive server information through URL request responses that could aid an attacker in further attacks against the system.
(1) CVE-2016-2883

(2) CVE-2016-2883

The IBM TRIRIGA Application Platform is vulnerable to cross-site scripting (XSS), caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s web browser within the security context of the hosting website, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

[Admin: This post is related to the 04.04.16 post about vulnerabilities and fixes. To see other related posts, use the Vulnerability tag.]

Continue reading

IV84742: CSRF vulnerability where actions do not require a token


Some state-changing actions are not having the security token properly enforced, which can be a potential CSRF exposure. CSRF attacks with no token can generally be addressed by using the KNOWN_REFERRER_LIST property in the TRIRIGAWEB.properties file.

We added security validation to several pages throughout the platform. The issue has been resolved.

Continue reading