Cognos Powerplay Web Edition Weak Temp File Name Vulnerability

Cognos Powerplay Web Edition Weak Temp File Name Vulnerability

Darin White <d.w@IBM.NET> included this example in his June 28th, 1999 BugTraq posting:

Using the guest account or viewing an unprotected cube a user may right-click the content area and select View Frame Info which will display the temporary filename. By repeatedly reloading the initial cube view and viewing frame info a list of temporary filenames may be generated in order to analyze the filename algorithm. e.g. http://www.example.com/ppwb/Temp/1eeex.htm http://www.example.com/ppwb/Temp/1f77x.htm http://www.example.com/ppwb/Temp/1fcfx.htm http://www.example.com/ppwb/Temp/1ff6x.htm http://www.example.com/ppwb/Temp/2014x.htm Analysis of the filename progression shows: * the last char is 'x' for the data and 't' for the toolbar * first n-1 chars are hexadecimal chars only * the hexadecimal "numbers" comprising the filename are ascending only * the first char is never 0. e.g. fffx.htm => 1000x.htm * simple hexadecimal subtraction on the first n-1 chars of consecutive filenames shows a very predictable pattern.