-- Corsaire Security Advisory --
Title: Business Objects WebIntelligence XSS issue
Date: 27.05.04
Application: WebIntelligence 2.7, Business Objects 5.1
Environment: Various
Author: Stephen de Vries [stephen@corsaire.com]
Audience: General distribution
Reference: c040527-002
-- Scope --
The aim of this document is to clearly define a vulnerability in the
WebIntelligence product, as supplied by Business Objects [1], that
allows an authenticated attacker to perform a Cross Site Scripting (XSS)
attack [2].
-- History --
Discovered: 20.05.04
Vendor notified: 28.05.04
Document released: 17.09.04
-- Overview --
The WebIntelligence product provides a web based interface to the
Business Objects query tool. The WebIntelligence application validates
certain input data on the client side, however, this validation is not
enforced on the server side. By bypassing the client validation, it is
possible to achieve an XSS attack, potentially giving access to
confidential information, such as session cookies etc.
-- Analysis --
Cross Site Scripting (XSS) attacks are exploited by inserting custom
HTML or active scripting content such as Javascript, which is then
displayed and executed by another user. Two distinct injection points
were identified in the WebIntelligence product:
1. The Personalized Picture under the Options pane.
No validation is performed on the input field, either on the client-
side or server side, and it is possible to enter arbitrary Javascript
or HTML code into this field. The impact of this vulnerability is
mitigated to some degree by the fact that any injected script is only
displayed to the currently logged in user and is not displayed to
other users.
2. The document name, when uploading a document.
Client side input validation is performed on the document name which
prevents users from entering certain characters (/ \ : * ? " < > |).
However, this validation is not enforced on the server side and it is
therefore possible to use these characters in the filename by
bypassing the client side validation. Since the document name is
visible to multiple users it is possible for an attacker to obtain
sensitive cookie information, or otherwise subvert the trust users
have in the authenticity of executed Javascript code.
Cross Site Scripting vulnerabilities indicate that server side
validation of data supplied by the client is incomplete, or poorly
implemented.
-- Recommendations --
Business Objects have made patches available to correct this issue,
which can be downloaded from the Online Customer Support site.
Relevant updates are:
WebIntelligence 2.7.0 - 2.7.2 & InfoView 5.1.4 - 5.1.6 (SP4-SP6)
Upgrade to SP7 or SP8 and apply available patches
WebIntelligence 2.7.3 & InfoView 5.1.7 (SP7)
Download the update for Windows, Windows JP,Sun, AIX, & HP (CSP860)
WebIntelligence 2.7.4 & InfoView 5.1.8 (SP8)
Download the update for Windows, Windows JP,Sun, AIX, & HP (CSP864)
-- CVE --
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-0534 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardises names for
security problems.
-- References --
[1] http://www.businessobjects.com
[2] http://www.aspectsecurity.com/topten/xss.html
-- Revision --
a. Initial release.
b. Minor grammatical changes.
c. Added CVE reference.
d. Released.
-- Distribution --
This security advisory may be freely distributed, provided that it
remains unaltered and in its original form.
-- Disclaimer --
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.
-- About Corsaire --
Corsaire are a leading information security consultancy, founded in 1997
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and
analytical rigour to every job, which means fast and dramatic security
performance improvements. Our services centre on the delivery of
information security planning, assessment, implementation, management
and vulnerability research.
A free guide to selecting a security assessment supplier is available at
http://www.penetration-testing.com
Copyright 2004 Corsaire Limited. All rights reserved.
