[NEWS] WebIntelligence Vulnerable to Session Hijacking

From: support@securiteam.com
Date: 01/13/03

  • Next message: support@securiteam.com: "[NT] Multiple Vulnerabilities Found in PlatinumFTPserver" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 13 Jan 2003 11:08:27 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      WebIntelligence Vulnerable to Session Hijacking
    ------------------------------------------------------------------------

    SUMMARY

    The <http://www.businessobjects.com/products/webi/> WebIntelligence
    application is a web interface towards the Business Objects application
    server. It uses HTTPS and cookies to keep track of user sessions. These
    session cookies are vulnerable. An attacker can guess session cookies and
    use this information to hijack sessions of other users, thereby gaining
    unauthorized access to the WebIntelligence tool. Next, the attacker can
    take any action the original user is able to take, except changing the
    account password.

    There also exists a win32 client application that uses the same protocols
    and the same cookie mechanism to connect to the Business Objects server.

    Both web interface and client are vulnerable to session hijacking.

    DETAILS

    Vulnerable systems:
     * WebIntelligence version 2.7.1

    WebIntelligence server assigns a cookie to each session for purpose of
    session tracking. Whenever a user connects using his/her browser, he/she
    receives such a session ID cookie. If the user then authenticates
    successfully, the WebIntelligence server marks this session at server side
    as 'authenticated'.

    During the same session, the user's browser keeps sending this cookie back
    to the server. This helps the server to keep track of the user's session.
    As long as the session is marked 'authenticated' the server will not
    prompt the user for his/her password anymore.

    So, if an attacker succeeds in stealing or guessing a user's session ID
    cookie, the attacker may gain access to this user's WebIntelligence
    session. It has been found that WebIntelligence uses cookies that can be
    guessed by an attacker.

    As a result, the attacker can view any screen, including mail box, and
    perform any action the user can. The attacker can not set a new password
    for the hijacked account as this would require knowledge of the current
    password.

    Extension
    The Business Objects full client is a Windows application that can be
    downloaded through the WebIntelligence interface. Although it does not run
    in a browser, it does use the same HTTPS protocols for connecting to the
    WebIntelligence server and the same session ID cookies are used.
    Therefore, ZABO is also vulnerable to this attack.

    The client only product (BusinessObjects) is not at risk.

    Solution
     <http://www.businessobjects.com> Business Objects has a HotFix for this
    issue (Bug ID 1063161) and it is expected that this fix will be
    incorporated in Service Pack 7, expected in the early part of Q2.

    Business Objects advises their customers to deploy the appropriate CSP on
    all their servers machines. The appropriate CSPs for SP3, SP4, SP5 and SP6
    can be downloaded from:
    <http://techsupport.businessobjects.com/app/SecBulletin_120402.asp>
    http://techsupport.businessobjects.com/app/SecBulletin_120402.asp.

    Timeline (only relevant steps)
    November 2002: Ubizen contacted and provided details to Business Objects
    December 2002: Received bug ID and preliminary fix info from Business
    Objects
    January 2003: Business Objects released security bulletin and fixes to its
    customers

    ADDITIONAL INFORMATION

    The information has been provided by Stijn Durant of
    <http://www.ubizen.com> Ubize.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages