lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 01 Mar 2014 20:33:49 +0100
From: Christian Catalano <ch.catalano@...il.com>
To: OSVDB Mods <moderators@...db.org>, full-disclosure@...ts.grok.org.uk,
  bugtraq@...urityfocus.com, Secunia Research <vuln@...unia.com>,
  submit@...sec.com, submissions@...ketstormsecurity.com, submit@...7day.com,
  vuldb@...urityfocus.com, submit@...ecurity.com
Subject: [CVE-2013-6234] XSS File Upload in SpagoBI v4.0

###################################################

01. ###  Advisory Information ###

Title: XSS File Upload
Date published: 2014-03-01
Date of last update: 2014-03-01
Vendors contacted: Engineering Group
Discovered by: Christian Catalano
Severity: Medium


02. ###  Vulnerability Information ###

CVE reference: CVE-2013-6234
CVSS v2 Base Score: 4
CVSS v2 Vector: (AV:N/AC:L/Au:S/C:N/I:P/A:N)
Component/s: SpagoBI
Class: Input Manipulation


03. ### Introduction ###

SpagoBI[1] is an Open Source Business Intelligence suite, belonging to 
the free/open source SpagoWorld initiative, founded and supported by 
Engineering Group[2].
It offers a large range of analytical functions, a highly functional 
semantic layer often absent in other open source platforms and projects, 
and a respectable set of advanced data visualization features including 
geospatial analytics.
[3]SpagoBI is released under the Mozilla Public License, allowing its 
commercial use. SpagoBI is hosted on OW2 Forge[4] managed by OW2 
Consortium, an independent open-source software community.

[1] - http://www.spagobi.org
[2] - http://www.eng.it
[3] - 
http://www.spagoworld.org/xwiki/bin/view/SpagoBI/PressRoom?id=SpagoBI-ForresterWave-July2012
[4] - http://forge.ow2.org/projects/spagobi


04. ### Vulnerability Description ###

SpagoBI contains a flaw that may allow a remote attacker to execute 
arbitrary code. This flaw exists because the application does not 
restrict uploading for specific file types from Worksheet designer 
function.
This may allow a remote attacker to upload arbitrary files (e.g. .html 
for XSS) that would execute arbitrary script code in a user's browser 
within the trust relationship between their browser and the server or 
more easily conduct more serious attacks.


05. ### Technical Description / Proof of Concept Code ###

An attacker  (a SpagoBI malicious user with a restricted account) can 
upload a file from Worksheet designer function.

To  reproduce the vulnerability follow the provided information and 
steps below:

- Using a browser log on to SpagoBI with restricted account (e.g. 
Business User Account)
- Go on:  Worksheet designer function
- Click on: Image  and Choose image
- Upload  malicious file and save it

XSS Malicious File Upload  Attack  has been successfully completed!

More details about SpagoBI Worksheet Engine and  Worksheet designer
http://wiki.spagobi.org/xwiki/bin/view/spagobi_server/Worksheet#HWorksheetoverview

(e.g. Malicious File:  xss.html)

<!DOCTYPE html>
<html>
<head>
<script>
function myFunction()
{alert("XSS");}
</script>
</head>
<body>
<input type="button" onclick="myFunction()" value="Show alert box">
</body>
</html>


06. ### Business Impact ###

Exploitation of the vulnerability requires low privileged application 
user account but low or medium user interaction. Successful exploitation 
of the vulnerability results in session hijacking, client-side phishing, 
client-side external redirects or malware loads and client-side 
manipulation of the vulnerable module context.


07. ### Systems Affected ###

This vulnerability was tested against: SpagoBI 4.0
Older versions are probably affected too, but they were not checked.


08. ### Vendor Information, Solutions and Workarounds ###

This issue is fixed in SpagoBI v4.1, which can be downloaded from:
http://forge.ow2.org/project/showfiles.php?group_id=204

Fixed by vendor [verified]


09. ### Credits ###

This vulnerability has been discovered by:
Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com


10.  ### Vulnerability History ###

October  09th, 2013: Vulnerability identification
October  22th, 2013: Vendor notification to  [SpagoBI Team]
November 05th, 2013: Vendor Response/Feedback  from  [SpagoBI Team]
December 16th, 2013: Vendor Fix/Patch [SpagoBI Team]
January  16th, 2014: Fix/Patch Verified
March    01st, 2014: Vulnerability disclosure


11. ### Disclaimer ###

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of 
this information.

###################################################

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ