[VulnWatch] Corsaire Security Advisory - Business Objects WebIntelligence arbitrary document deletion issue

From: advisories (advisories_at_corsaire.com)
Date: 09/17/04

  • Next message: advisories: "[VulnWatch] Corsaire Security Advisory - Business Objects WebIntelligence XSS issue"
    To: <vulnwatch@vulnwatch.org>
    Date: Fri, 17 Sep 2004 11:14:18 +0100
    
    

    -- Corsaire Security Advisory --

    Title: Business Objects WebIntelligence arbitrary document deletion issue
    Date: 27.05.04
    Application: WebIntelligence 2.7, Business Objects 5.1
    Environment: Various
    Author: Stephen de Vries [stephen@corsaire.com]
    Audience: General distribution
    Reference: c040527-001

    -- Scope --

    The aim of this document is to clearly define a vulnerability in the
    WebIntelligence product, as supplied by Business Objects [1], that
    allows an authenticated attacker to bypass the access control
    restrictions and delete arbitrary documents.

    -- History --

    Discovered: 20.05.04
    Vendor notified: 28.05.04
    Document released: 17.09.04

    -- Overview --

    The WebIntelligence product provides a web based interface to the
    Business Objects query tool. Users can upload, delete and assign access
    rights to documents. A vulnerability in the application allows
    authenticated users to bypass the access controls and delete arbitrary
    documents from the application.

    -- Analysis --

    It appears that WebIntelligence implements access control on the client-
    side by only displaying the permitted actions in the browser. If a user
    is not permitted to delete a document, then the delete button is not
    displayed. However, if the deletion request is performed manually, any
    document can be deleted.

    Documents submitted for deletion are identified by WebIntelligence using
    two identifiers: the document ID and the document name. These are
    displayed as URL parameters when a request is made to download the
    document. Even if the user does not have permission to delete the
    document, they can place the identifier values into a deletion request
    URL and thereby bypass the functionality.

    -- Recommendations --

    Business Objects have made patches available to correct this issue,
    which can be downloaded from the Online Customer Support site.

    Relevant updates are:

    WebIntelligence 2.7.0 - 2.7.2 & InfoView 5.1.4 - 5.1.6 (SP4-SP6)
    Upgrade to SP7 or SP8 and apply available patches

    WebIntelligence 2.7.3 & InfoView 5.1.7 (SP7)
    Download the update for Windows, Windows JP,Sun, AIX, & HP (CSP860)

    WebIntelligence 2.7.4 & InfoView 5.1.8 (SP8)
    Download the update for Windows, Windows JP,Sun, AIX, & HP (CSP864)

    -- CVE --

    The Common Vulnerabilities and Exposures (CVE) project has assigned
    the name CAN-2004-0533 to this issue. This is a candidate for
    inclusion in the CVE list (http://cve.mitre.org), which standardises
    names for security problems.

    -- References --

    [1] http://www.businessobjects.com

    -- Revision --

    a. Initial release.
    b. Minor grammatical changes.
    c. Added CVE reference.
    d. Released.

    -- Distribution --

    This security advisory may be freely distributed, provided that it
    remains unaltered and in its original form.

    -- Disclaimer --

    The information contained within this advisory is supplied "as-is" with
    no warranties or guarantees of fitness of use or otherwise. Corsaire
    accepts no responsibility for any damage caused by the use or misuse of
    this information.

    -- About Corsaire --

    Corsaire are a leading information security consultancy, founded in 1997
    in Guildford, Surrey, UK. Corsaire bring innovation, integrity and
    analytical rigour to every job, which means fast and dramatic security
    performance improvements. Our services centre on the delivery of
    information security planning, assessment, implementation, management
    and vulnerability research.

    A free guide to selecting a security assessment supplier is available at
    http://www.penetration-testing.com

    Copyright 2004 Corsaire Limited. All rights reserved.


  • Next message: advisories: "[VulnWatch] Corsaire Security Advisory - Business Objects WebIntelligence XSS issue"

    Relevant Pages