PM86344: BAD URL WITH CHART DOWNLOAD WHEN THIRD PARTY XSS CHECKING ENABLED

APAR status

• Closed as program error.

Error description

• Customer has Window 2008 environment and Cognos 10.2. Customer
  is also using SSL, and has a F5 gateway load balancer. When
  client runs a report which has a chart and attempts to download
  the chart(right-click-->Download chart), the user gets a bad URL
  and the download fails.?For example, in production using IE 8
  client gets this kind of
  URL?https://cognos.graceland.edu/BI/cgi-bin/cognosisapi.dllXSSST
  ART?b_5faction=dc&f=b3V0cHV0MzE3Mzk0MDUxMTEwMTMzNA_5f_5f&k=FAAAA
  KOuujBJO_2azV31P7G-75FwLQ8BZXWKrIZjxzUM-hTlI9fqcdt4lxA1Y_5f&s=FA
  AAAKOuujBJO_2azV31P7G-75FwLQ8BZXH8pc-?N607y2Rtcy39aBO_2agTFwOA_5
  f&did=8B12286B-87EF-4D59-964B-41D2D36FD00F&download=trueXSSEND??
  Notice
  that ../cgi-bin/cognosisapi.dllXSSSTART?  the question mark is
  supposed to come between cognosisapi.dll and XSSSTART??Infact,
  when the client moves the question mark as follows (
  ..../cgi-bin/cognosisapi.dll?XSSSTART)?https://cognos.graceland.
  edu/BI/cgi-bin/cognosisapi.dll?XSSSTARTb_5faction=dc&f=b3V0cHV0M
  zE3Mzk0MDUxMTEwMTMzNA_5f_5f&k=FAAAAKOuujBJO_2azV31P7G-75FwLQ8BZX
  WKrIZjxzUM-hTlI9fqcdt4lxA1Y_5f&s=FAAAAKOuujBJO_2azV31P7G-75FwLQ8
  BZXH8pc-?N607y2Rtcy39aBO_2agTFwOA_5f&did=8B12286B-87EF-4D59-964B
  -41D2D36FD00F&download=trueXSSEN??Client
  is able to download the chart. ??I asked client to setup a
  separate test environment and by pass the F5 load balancer
  (hitting the gateway directly)  but we got the same results some
  bizarre results with various browsers and versions in. I.E 9 and
  10(thought not supported), the "XSSSTART comes directly infront
  of https.?---test results carried out by client?No F5
  involved??Report:?https://felli.graceland.edu/bi/cgi-bin/cognosi
  sapi.dll?b_action=cognosViewer&ui.action=run&ui.object=XSSSTART*
  2fcontent*2fpackage*5b*40name*3d*27Core*20Package*27*5d*2freport
  *5b*40name*3d*27Test*27*5dXSSEND&ui.name=Test&run.outputFormat=&
  run.prompt=true&ui.backURL=XSSSTART*2fbi*2fcgi-bin*2fcognosisapi
  .dll*3fb_5faction*3dxts.run*26m*3dportal*2fcc.xts*26m_5ffolder*3
  di103BE988F4E84146858815D194C320C0XSSEND??Download
  chart (Firefox
  3.6):?https://felli.graceland.edu/bi/cgi-bin/cognosisapi.dllXSSS
  TART?b_5faction=dc&f=b3V0cHV0MzE3MzUwMTgxOTEwMzEzMzQ_5f&k=FAAAAB
  Un044V1ogjDcP5fjm6KSGoMI83AuCorZYw6l5lQaj0aSzdLN3U22M_5f&s=FAAAA
  BUn044V1ogjDcP5fjm6KSGoMI8368WfvYTiDOUajyW-wNwKugKbHaw_5f&did=1D
  9D1854-89B5-4496-B863-AF5FD6CE55AC&download=trueXSSEND??Download
  chart
  (IE10):?xssstarthttps://felli.graceland.edu/bi/cgi-bin/cognosisa
  pi.dll?b_5faction=dc&f=b3V0cHV0MzE3MzUwMTkxMzY2NjEzMzQ_5f&k=FAAA
  ABUn044V1ogjDcP5fjm6KSGoMI830GndOkQFCW5tJtnNm0qLepwjlKg_5f&s=FAA
  AABUn044V1ogjDcP5fjm6KSGoMI83qzI_2auipb1kkz2wZhEyyZGUgo3aQ_5f&di
  d=1D9D1854-89B5-4496-B863-AF5FD6CE55AC&download=trueXSSEND??Down
  load
  chart (IE9 on
  felli):?xssstarthttps://felli.graceland.edu/bi/cgi-bin/cognosisa
  pi.dll?b_5faction=dc&f=b3V0cHV0MzE3MzUwMjIyNTg3MDcyNA_5f_5f&k=FA
  AAABUn044V1ogjDcP5fjm6KSGoMI83VYz991_2a-_2aYNpDWNjGP4M7MC2-eA_5f
  &s=FAAAABUn044V1ogjDcP5fjm6KSGoMI83XexfgAYptASlFy3KtH4gFSVF9cE_5
  f&did=1D9D1854-89B5-4496-B863-AF5FD6CE55AC&download=trueXSSEND??
  Download
  Chart (Chrome
  26):?https://felli.graceland.edu/bi/cgi-bin/cognosisapi.dllXSSST
  ART?b_5faction=dc&f=b3V0cHV0MzE3MzUwMjA0MzEzMTEzMzQ_5f&k=FAAAABU
  n044V1ogjDcP5fjm6KSGoMI83iMP01xowD5MEE-SP_2a6a8qhXMhKM_5f&s=FAAA
  ABUn044V1ogjDcP5fjm6KSGoMI83rgQn75oLzk-g8X4-n5_2aJWBHxLps_5f&did
  =1D9D1854-89B5-4496-B863-AF5FD6CE55AC&download=trueXSSEND??Downl
  oad
  chart (IE10, without Valid Domains set in IBM Cognos
  Config):?xssstarthttps://felli.graceland.edu/bi/cgi-bin/cognosis
  api.dll?b_5faction=dc&f=b3V0cHV0MzE3MzUwMjUyNzgzMzEzMzQ_5f&k=FAA
  AABUn044V1ogjDcP5fjm6KSGoMI83XkBnmheLUpi19F_2aRRNoWg-zFta8_5f&s=
  FAAAABUn044V1ogjDcP5fjm6KSGoMI83yykqryDdkZqfukH_2aY0YrzlxkdSo_5f
  &did=1D9D1854-89B5-4496-B863-AF5FD6CE55AC&download=trueXSSEND?--
  ----------------------------------------------------------------
  -------------------------------------------------------------?On
  e
  test I asked the client to was turn off XSS Third Party
  Checking, this worked well(not URL errors and client was able to
  download the chart). The dilemma the client has is that if they
  turn off third party XSS checking, many Favourites and Bookmarks
  on end-user machines will have to redone. Client insists that
  the F5 load balancer is not involved in cross site script
  checking.???
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED:                                              *
  * All Users                                                    *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  * See error description.                                       *
  ****************************************************************
  * RECOMMENDATION:                                              *
  * Upgrade to IBM Cognos Business Intelligence 10.2 Refresh     *
  * Pack 1                                                       *
  * or IBM Cognos Business Intelligence 10.2 Fix Pack 2          *
  ****************************************************************
  

Problem conclusion

• Code Fix
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  COG ADMINISTRAT

• Fixed component ID

  5724W12AD

Applicable component levels

• RA20 PSN

     UP