lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <005901c49c9f$a2e8b7b0$d4f0bb51@vegetabl3.org>
From: advisories at corsaire.com (advisories)
Subject: Corsaire Security Advisory - Business Objects WebIntelligence XSS issue

-- Corsaire Security Advisory --

Title: Business Objects WebIntelligence XSS issue
Date: 27.05.04
Application: WebIntelligence 2.7, Business Objects 5.1
Environment: Various
Author: Stephen de Vries [stephen@...saire.com]
Audience: General distribution
Reference: c040527-002


-- Scope --

The aim of this document is to clearly define a vulnerability in the 
WebIntelligence product, as supplied by Business Objects [1], that 
allows an authenticated attacker to perform a Cross Site Scripting (XSS) 
attack [2].


-- History --

Discovered: 20.05.04 
Vendor notified: 28.05.04
Document released: 17.09.04


-- Overview --

The WebIntelligence product provides a web based interface to the 
Business Objects query tool. The WebIntelligence application validates 
certain input data on the client side, however, this validation is not 
enforced on the server side. By bypassing the client validation, it is 
possible to achieve an XSS attack, potentially giving access to 
confidential information, such as session cookies etc.  


-- Analysis --

Cross Site Scripting (XSS) attacks are exploited by inserting custom 
HTML or active scripting content such as Javascript, which is then 
displayed and executed by another user.  Two distinct injection points 
were identified in the WebIntelligence product:

1. The Personalized Picture under the Options pane.
 No validation is performed on the input field, either on the client-
 side or server side, and it is possible to enter arbitrary Javascript 
 or HTML code into this field.  The impact of this vulnerability is 
 mitigated to some degree by the fact that any injected script is only 
 displayed to the currently logged in user and is not displayed to 
 other users.

2. The document name, when uploading a document.
 Client side input validation is performed on the document name which 
 prevents users from entering certain characters (/ \ : * ? " < > |).  
 However, this validation is not enforced on the server side and it is 
 therefore possible to use these characters in the filename by 
 bypassing the client side validation.  Since the document name is 
 visible to multiple users it is possible for an attacker to obtain 
 sensitive cookie information, or otherwise subvert the trust users 
 have in the authenticity of executed Javascript code.

Cross Site Scripting vulnerabilities indicate that server side 
validation of data supplied by the client is incomplete, or poorly 
implemented.


-- Recommendations --

Business Objects have made patches available to correct this issue, 
which can be downloaded from the Online Customer Support site. 

Relevant updates are:

WebIntelligence 2.7.0 - 2.7.2 & InfoView 5.1.4 - 5.1.6 (SP4-SP6)
Upgrade to SP7 or SP8 and apply available patches

WebIntelligence 2.7.3 & InfoView 5.1.7 (SP7)
Download the update for Windows, Windows JP,Sun, AIX, & HP (CSP860)

WebIntelligence 2.7.4 & InfoView 5.1.8 (SP8) 
Download the update for Windows, Windows JP,Sun, AIX, & HP (CSP864)


-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned the 
name CAN-2004-0534 to this issue. This is a candidate for inclusion in 
the CVE list (http://cve.mitre.org), which standardises names for 
security problems.


-- References --

[1] http://www.businessobjects.com
[2] http://www.aspectsecurity.com/topten/xss.html


-- Revision --

a. Initial release.
b. Minor grammatical changes.
c. Added CVE reference.
d. Released.


-- Distribution --

This security advisory may be freely distributed, provided that it 
remains unaltered and in its original form. 


-- Disclaimer --

The information contained within this advisory is supplied "as-is" with 
no warranties or guarantees of fitness of use or otherwise. Corsaire 
accepts no responsibility for any damage caused by the use or misuse of 
this information.


-- About Corsaire --

Corsaire are a leading information security consultancy, founded in 1997 
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and 
analytical rigour to every job, which means fast and dramatic security 
performance improvements. Our services centre on the delivery of 
information security planning, assessment, implementation, management 
and vulnerability research. 

A free guide to selecting a security assessment supplier is available at 
http://www.penetration-testing.com 


Copyright 2004 Corsaire Limited. All rights reserved.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ