Tableau Server - Blind SQL Injection Vulnerability

Blind SQL Injection Vulnerability in Tableau Server
 
Published: 02/07/14
Version: 1.1
 
Vendor: Tableau Software (http://www.tableausoftware.com)
Product: Tableau Server
Versions affected:  8.1.X before 8.1.2 and 8.0.X before 8.0.7. Not present
in 7.0.X and earlier.
 
Product description:
Tableau Server is a business intelligence application that provides
browser-based analytics.
 
Finding: Blind SQL Injection
Credit: Tanya Secker & Christiaan Esterhuizen of Trustwave SpiderLabs
CVE: CVE-2014-1204
CWE: CWE-89
 
It is possible for an authenticated user or guest user (if enabled) to
inject arbitrary SQL into the Tableau Server backend database. As a
proof of concept the default database user (Zrails) was retrieved using the
following payload:
 
http://127.0.0.1/views?modified_after=2013-12-08T23%3A00%3A00.000Z'%20or%20user%20like%20'Zrails
 
The database appears to be Oracle and both the modified_after and
modified_before parameters are vulnerable.
 
 
Remediation Steps:
The vendor has released a fix in version 8.1.2 and version 8.0.7. Version
7.0.X is not affected.
 
Revision History:
12/06/13 - Vulnerability disclosed
12/06/13 - Vendor responded
12/23/13 - Patch released by vendor
01/24/14 - Advisory published
02/07/14 - Advisory revision published

#  0day.today [2018-04-14]  #