Full Disclosure mailing list archives
Corsaire Security Advisory - Business Objects WebIntelligence arbitrary document deletion issue
From: "advisories" <advisories () corsaire com>
Date: Fri, 17 Sep 2004 11:13:41 +0100
-- Corsaire Security Advisory -- Title: Business Objects WebIntelligence arbitrary document deletion issue Date: 27.05.04 Application: WebIntelligence 2.7, Business Objects 5.1 Environment: Various Author: Stephen de Vries [stephen () corsaire com] Audience: General distribution Reference: c040527-001 -- Scope -- The aim of this document is to clearly define a vulnerability in the WebIntelligence product, as supplied by Business Objects [1], that allows an authenticated attacker to bypass the access control restrictions and delete arbitrary documents. -- History -- Discovered: 20.05.04 Vendor notified: 28.05.04 Document released: 17.09.04 -- Overview -- The WebIntelligence product provides a web based interface to the Business Objects query tool. Users can upload, delete and assign access rights to documents. A vulnerability in the application allows authenticated users to bypass the access controls and delete arbitrary documents from the application. -- Analysis -- It appears that WebIntelligence implements access control on the client- side by only displaying the permitted actions in the browser. If a user is not permitted to delete a document, then the delete button is not displayed. However, if the deletion request is performed manually, any document can be deleted. Documents submitted for deletion are identified by WebIntelligence using two identifiers: the document ID and the document name. These are displayed as URL parameters when a request is made to download the document. Even if the user does not have permission to delete the document, they can place the identifier values into a deletion request URL and thereby bypass the functionality. -- Recommendations -- Business Objects have made patches available to correct this issue, which can be downloaded from the Online Customer Support site. Relevant updates are: WebIntelligence 2.7.0 - 2.7.2 & InfoView 5.1.4 - 5.1.6 (SP4-SP6) Upgrade to SP7 or SP8 and apply available patches WebIntelligence 2.7.3 & InfoView 5.1.7 (SP7) Download the update for Windows, Windows JP,Sun, AIX, & HP (CSP860) WebIntelligence 2.7.4 & InfoView 5.1.8 (SP8) Download the update for Windows, Windows JP,Sun, AIX, & HP (CSP864) -- CVE -- The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-0533 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardises names for security problems. -- References -- [1] http://www.businessobjects.com -- Revision -- a. Initial release. b. Minor grammatical changes. c. Added CVE reference. d. Released. -- Distribution -- This security advisory may be freely distributed, provided that it remains unaltered and in its original form. -- Disclaimer -- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Corsaire accepts no responsibility for any damage caused by the use or misuse of this information. -- About Corsaire -- Corsaire are a leading information security consultancy, founded in 1997 in Guildford, Surrey, UK. Corsaire bring innovation, integrity and analytical rigour to every job, which means fast and dramatic security performance improvements. Our services centre on the delivery of information security planning, assessment, implementation, management and vulnerability research. A free guide to selecting a security assessment supplier is available at http://www.penetration-testing.com Copyright 2004 Corsaire Limited. All rights reserved. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Corsaire Security Advisory - Business Objects WebIntelligence arbitrary document deletion issue advisories (Sep 17)