-- Corsaire Security Advisory --
Title: Business Objects WebIntelligence arbitrary document deletion issue
Date: 27.05.04
Application: WebIntelligence 2.7, Business Objects 5.1
Environment: Various
Author: Stephen de Vries [stephen@corsaire.com]
Audience: General distribution
Reference: c040527-001
-- Scope --
The aim of this document is to clearly define a vulnerability in the
WebIntelligence product, as supplied by Business Objects [1], that
allows an authenticated attacker to bypass the access control
restrictions and delete arbitrary documents.
-- History --
Discovered: 20.05.04
Vendor notified: 28.05.04
Document released: 17.09.04
-- Overview --
The WebIntelligence product provides a web based interface to the
Business Objects query tool. Users can upload, delete and assign access
rights to documents. A vulnerability in the application allows
authenticated users to bypass the access controls and delete arbitrary
documents from the application.
-- Analysis --
It appears that WebIntelligence implements access control on the client-
side by only displaying the permitted actions in the browser. If a user
is not permitted to delete a document, then the delete button is not
displayed. However, if the deletion request is performed manually, any
document can be deleted.
Documents submitted for deletion are identified by WebIntelligence using
two identifiers: the document ID and the document name. These are
displayed as URL parameters when a request is made to download the
document. Even if the user does not have permission to delete the
document, they can place the identifier values into a deletion request
URL and thereby bypass the functionality.
-- Recommendations --
Business Objects have made patches available to correct this issue,
which can be downloaded from the Online Customer Support site.
Relevant updates are:
WebIntelligence 2.7.0 - 2.7.2 & InfoView 5.1.4 - 5.1.6 (SP4-SP6)
Upgrade to SP7 or SP8 and apply available patches
WebIntelligence 2.7.3 & InfoView 5.1.7 (SP7)
Download the update for Windows, Windows JP,Sun, AIX, & HP (CSP860)
WebIntelligence 2.7.4 & InfoView 5.1.8 (SP8)
Download the update for Windows, Windows JP,Sun, AIX, & HP (CSP864)
-- CVE --
The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2004-0533 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardises
names for security problems.
-- References --
[1] http://www.businessobjects.com
-- Revision --
a. Initial release.
b. Minor grammatical changes.
c. Added CVE reference.
d. Released.
-- Distribution --
This security advisory may be freely distributed, provided that it
remains unaltered and in its original form.
-- Disclaimer --
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.
-- About Corsaire --
Corsaire are a leading information security consultancy, founded in 1997
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and
analytical rigour to every job, which means fast and dramatic security
performance improvements. Our services centre on the delivery of
information security planning, assessment, implementation, management
and vulnerability research.
A free guide to selecting a security assessment supplier is available at
http://www.penetration-testing.com
Copyright 2004 Corsaire Limited. All rights reserved.
