Title: Cognos Powerplay Web Edition CGI Parameters Vulnerability
Severity: MODERATE
Description:
Cognos Powerplay Web Edition is a commercial Business Performance Measurement and Reporting application.
Ad hoc CGI parameters which are passed to the host will display sensitive information.
'?TOC' or leaving the parameter blank will display a table of contents list of web-enabled cubes. '?ABOUT=' will display version information. Additionally, the hidden parameter 'PPWB' as a hidden parameter in the data contents frame will display the location of the unaliased temporary directory.
This information gathering can be used to aid in further attacks on the host.
It should be noted that data cubes are stored in temporary directories and do contain sensitive information. Any intelligence gathered about the location of data cubes can lead to that information being disclosed to attackers.
Affected Products:
- Cognos Powerplay Web Edition 4.0.0
- Cognos Powerplay Web Edition 4.1.0
- Cognos Powerplay Web Edition 5.0.01
- Cognos Powerplay Web Edition 5.21.0
- Cognos Powerplay Web Edition 6.5.0
References:
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
