Skip to Main Content
Cloud Management and AIOps


This is an IBM Automation portal for Cloud Management, Technology Cost Management, Network Automation and AIOps products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).

Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.

Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Future consideration
Created by Guest
Created on Nov 13, 2024

Unrestricted URL Loading

Background:
Unrestricted URL loading and redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection/loading in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain.


Issue:
During the assessment, we observed that users have the ability to input and load a malicious page and render it live within the application. 

This feature allows users to enter any website URL of their choice, which is then stored within the application as part of a widget component that displays the interactable website corresponding to that URL. Subsequently, when a user accesses the widget, they can directly access this website and other external websites that are associated or redirected from that loading page inside the application itself.

Steps to reproduce:
1. Login to the application
2. Select Boards and create a widget
3. Add a malicious URL in the src input field
4. Save and open the widget"


Risk
"The risk of not sanitizing the URL and enabling URL redirection to a malicious site can lead to the following security issues:
-Phishing Attacks: Attackers can craft malicious URLs that resemble legitimate websites, tricking users into visiting malicious sites and providing sensitive information such as login credentials or financial details. This can result in financial loss, identity theft, or unauthorized access to user accounts.
-Malware Infections: By redirecting users to malicious websites, attackers can exploit vulnerabilities in the user's system or browser to deliver malware or initiate drive-by downloads. This can compromise the user's device, leading to data breaches, data loss, or unauthorized access to the device or network.
-Reputation and Trust Damage: If users repeatedly encounter malicious redirects from your application, it can damage your organization's reputation and erode user trust. Users may perceive your website as compromised or unsafe, leading to a loss of visitors, customers, and revenue."

Recommendation
"To mitigate these risks, it is crucial to sanitize and validate input received from users, especially when it involves URLs or redirection. 
Implement input validation techniques to ensure that URLs are properly formed and do not contain any suspicious or malicious content. 
Perform server-side checks to validate the legitimacy and safety of redirection target.
If there is a check from TWS to limit the users from loading malicious sites on TWS console would be better"

Idea priority Urgent