[VulnWatch] Corsaire Security Advisory - Business Objects WebIntelligence XSS issue

From: advisories (advisories_at_corsaire.com)
Date: 09/17/04

  • Next message: E.Bos_at_reseau.nl: "[VulnWatch] OpenBSD radius authentication vulnerability"
    To: <vulnwatch@vulnwatch.org>
    Date: Fri, 17 Sep 2004 11:19:00 +0100
    
    

    -- Corsaire Security Advisory --

    Title: Business Objects WebIntelligence XSS issue
    Date: 27.05.04
    Application: WebIntelligence 2.7, Business Objects 5.1
    Environment: Various
    Author: Stephen de Vries [stephen@corsaire.com]
    Audience: General distribution
    Reference: c040527-002

    -- Scope --

    The aim of this document is to clearly define a vulnerability in the
    WebIntelligence product, as supplied by Business Objects [1], that
    allows an authenticated attacker to perform a Cross Site Scripting (XSS)
    attack [2].

    -- History --

    Discovered: 20.05.04
    Vendor notified: 28.05.04
    Document released: 17.09.04

    -- Overview --

    The WebIntelligence product provides a web based interface to the
    Business Objects query tool. The WebIntelligence application validates
    certain input data on the client side, however, this validation is not
    enforced on the server side. By bypassing the client validation, it is
    possible to achieve an XSS attack, potentially giving access to
    confidential information, such as session cookies etc.

    -- Analysis --

    Cross Site Scripting (XSS) attacks are exploited by inserting custom
    HTML or active scripting content such as Javascript, which is then
    displayed and executed by another user. Two distinct injection points
    were identified in the WebIntelligence product:

    1. The Personalized Picture under the Options pane.
     No validation is performed on the input field, either on the client-
     side or server side, and it is possible to enter arbitrary Javascript
     or HTML code into this field. The impact of this vulnerability is
     mitigated to some degree by the fact that any injected script is only
     displayed to the currently logged in user and is not displayed to
     other users.

    2. The document name, when uploading a document.
     Client side input validation is performed on the document name which
     prevents users from entering certain characters (/ \ : * ? " < > |).
     However, this validation is not enforced on the server side and it is
     therefore possible to use these characters in the filename by
     bypassing the client side validation. Since the document name is
     visible to multiple users it is possible for an attacker to obtain
     sensitive cookie information, or otherwise subvert the trust users
     have in the authenticity of executed Javascript code.

    Cross Site Scripting vulnerabilities indicate that server side
    validation of data supplied by the client is incomplete, or poorly
    implemented.

    -- Recommendations --

    Business Objects have made patches available to correct this issue,
    which can be downloaded from the Online Customer Support site.

    Relevant updates are:

    WebIntelligence 2.7.0 - 2.7.2 & InfoView 5.1.4 - 5.1.6 (SP4-SP6)
    Upgrade to SP7 or SP8 and apply available patches

    WebIntelligence 2.7.3 & InfoView 5.1.7 (SP7)
    Download the update for Windows, Windows JP,Sun, AIX, & HP (CSP860)

    WebIntelligence 2.7.4 & InfoView 5.1.8 (SP8)
    Download the update for Windows, Windows JP,Sun, AIX, & HP (CSP864)

    -- CVE --

    The Common Vulnerabilities and Exposures (CVE) project has assigned the
    name CAN-2004-0534 to this issue. This is a candidate for inclusion in
    the CVE list (http://cve.mitre.org), which standardises names for
    security problems.

    -- References --

    [1] http://www.businessobjects.com
    [2] http://www.aspectsecurity.com/topten/xss.html

    -- Revision --

    a. Initial release.
    b. Minor grammatical changes.
    c. Added CVE reference.
    d. Released.

    -- Distribution --

    This security advisory may be freely distributed, provided that it
    remains unaltered and in its original form.

    -- Disclaimer --

    The information contained within this advisory is supplied "as-is" with
    no warranties or guarantees of fitness of use or otherwise. Corsaire
    accepts no responsibility for any damage caused by the use or misuse of
    this information.

    -- About Corsaire --

    Corsaire are a leading information security consultancy, founded in 1997
    in Guildford, Surrey, UK. Corsaire bring innovation, integrity and
    analytical rigour to every job, which means fast and dramatic security
    performance improvements. Our services centre on the delivery of
    information security planning, assessment, implementation, management
    and vulnerability research.

    A free guide to selecting a security assessment supplier is available at
    http://www.penetration-testing.com

    Copyright 2004 Corsaire Limited. All rights reserved.


  • Next message: E.Bos_at_reseau.nl: "[VulnWatch] OpenBSD radius authentication vulnerability"