Vulnwatch mailing list archives
Corsaire Security Advisory - Business Objects WebIntelligence XSS issue
From: "advisories" <advisories () corsaire com>
Date: Fri, 17 Sep 2004 11:19:00 +0100
-- Corsaire Security Advisory -- Title: Business Objects WebIntelligence XSS issue Date: 27.05.04 Application: WebIntelligence 2.7, Business Objects 5.1 Environment: Various Author: Stephen de Vries [stephen () corsaire com] Audience: General distribution Reference: c040527-002 -- Scope -- The aim of this document is to clearly define a vulnerability in the WebIntelligence product, as supplied by Business Objects [1], that allows an authenticated attacker to perform a Cross Site Scripting (XSS) attack [2]. -- History -- Discovered: 20.05.04 Vendor notified: 28.05.04 Document released: 17.09.04 -- Overview -- The WebIntelligence product provides a web based interface to the Business Objects query tool. The WebIntelligence application validates certain input data on the client side, however, this validation is not enforced on the server side. By bypassing the client validation, it is possible to achieve an XSS attack, potentially giving access to confidential information, such as session cookies etc. -- Analysis -- Cross Site Scripting (XSS) attacks are exploited by inserting custom HTML or active scripting content such as Javascript, which is then displayed and executed by another user. Two distinct injection points were identified in the WebIntelligence product: 1. The Personalized Picture under the Options pane. No validation is performed on the input field, either on the client- side or server side, and it is possible to enter arbitrary Javascript or HTML code into this field. The impact of this vulnerability is mitigated to some degree by the fact that any injected script is only displayed to the currently logged in user and is not displayed to other users. 2. The document name, when uploading a document. Client side input validation is performed on the document name which prevents users from entering certain characters (/ \ : * ? " < > |). However, this validation is not enforced on the server side and it is therefore possible to use these characters in the filename by bypassing the client side validation. Since the document name is visible to multiple users it is possible for an attacker to obtain sensitive cookie information, or otherwise subvert the trust users have in the authenticity of executed Javascript code. Cross Site Scripting vulnerabilities indicate that server side validation of data supplied by the client is incomplete, or poorly implemented. -- Recommendations -- Business Objects have made patches available to correct this issue, which can be downloaded from the Online Customer Support site. Relevant updates are: WebIntelligence 2.7.0 - 2.7.2 & InfoView 5.1.4 - 5.1.6 (SP4-SP6) Upgrade to SP7 or SP8 and apply available patches WebIntelligence 2.7.3 & InfoView 5.1.7 (SP7) Download the update for Windows, Windows JP,Sun, AIX, & HP (CSP860) WebIntelligence 2.7.4 & InfoView 5.1.8 (SP8) Download the update for Windows, Windows JP,Sun, AIX, & HP (CSP864) -- CVE -- The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-0534 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardises names for security problems. -- References -- [1] http://www.businessobjects.com [2] http://www.aspectsecurity.com/topten/xss.html -- Revision -- a. Initial release. b. Minor grammatical changes. c. Added CVE reference. d. Released. -- Distribution -- This security advisory may be freely distributed, provided that it remains unaltered and in its original form. -- Disclaimer -- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Corsaire accepts no responsibility for any damage caused by the use or misuse of this information. -- About Corsaire -- Corsaire are a leading information security consultancy, founded in 1997 in Guildford, Surrey, UK. Corsaire bring innovation, integrity and analytical rigour to every job, which means fast and dramatic security performance improvements. Our services centre on the delivery of information security planning, assessment, implementation, management and vulnerability research. A free guide to selecting a security assessment supplier is available at http://www.penetration-testing.com Copyright 2004 Corsaire Limited. All rights reserved.
Current thread:
- Corsaire Security Advisory - Business Objects WebIntelligence XSS issue advisories (Sep 17)