SpagoBI 4.0 - Arbitrary XSS File Upload

Introduction ###
 
SpagoBI[1] is an Open Source Business Intelligence suite, belonging to 
the free/open source SpagoWorld initiative, founded and supported by 
Engineering Group[2].
It offers a large range of analytical functions, a highly functional 
semantic layer often absent in other open source platforms and projects, 
and a respectable set of advanced data visualization features including 
geospatial analytics.
[3]SpagoBI is released under the Mozilla Public License, allowing its 
commercial use. SpagoBI is hosted on OW2 Forge[4] managed by OW2 
Consortium, an independent open-source software community.
 
[1] - http://www.spagobi.org
[2] - http://www.eng.it
[3] - 
http://www.spagoworld.org/xwiki/bin/view/SpagoBI/PressRoom?id=SpagoBI-ForresterWave-July2012
[4] - http://forge.ow2.org/projects/spagobi
 
 
04. ### Vulnerability Description ###
 
SpagoBI contains a flaw that may allow a remote attacker to execute 
arbitrary code. This flaw exists because the application does not 
restrict uploading for specific file types from Worksheet designer 
function.
This may allow a remote attacker to upload arbitrary files (e.g. .html 
for XSS) that would execute arbitrary script code in a user's browser 
within the trust relationship between their browser and the server or 
more easily conduct more serious attacks.
 
 
05. ### Technical Description / Proof of Concept Code ###
 
An attacker  (a SpagoBI malicious user with a restricted account) can 
upload a file from Worksheet designer function.
 
To  reproduce the vulnerability follow the provided information and 
steps below:
 
- Using a browser log on to SpagoBI with restricted account (e.g. 
Business User Account)
- Go on:  Worksheet designer function
- Click on: Image  and Choose image
- Upload  malicious file and save it
 
XSS Malicious File Upload  Attack  has been successfully completed!
 
More details about SpagoBI Worksheet Engine and  Worksheet designer
http://wiki.spagobi.org/xwiki/bin/view/spagobi_server/Worksheet#HWorksheetoverview
 
(e.g. Malicious File:  xss.html)
 
<!DOCTYPE html>
<html>
<head>
<script>
function myFunction()
{alert("XSS");}
</script>
</head>
<body>
<input type="button" onclick="myFunction()" value="Show alert box">
</body>
</html>
 
 
06. ### Business Impact ###
 
Exploitation of the vulnerability requires low privileged application 
user account but low or medium user interaction. Successful exploitation 
of the vulnerability results in session hijacking, client-side phishing, 
client-side external redirects or malware loads and client-side 
manipulation of the vulnerable module context.
 
 
07. ### Systems Affected ###
 
This vulnerability was tested against: SpagoBI 4.0
Older versions are probably affected too, but they were not checked.
 
 
08. ### Vendor Information, Solutions and Workarounds ###
 
This issue is fixed in SpagoBI v4.1, which can be downloaded from:
http://forge.ow2.org/project/showfiles.php?group_id=204
 
Fixed by vendor [verified]
 
 
09. ### Credits ###
 
This vulnerability has been discovered by:
Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com
 
 
10.  ### Vulnerability History ###
 
October  09th, 2013: Vulnerability identification
October  22th, 2013: Vendor notification to  [SpagoBI Team]
November 05th, 2013: Vendor Response/Feedback  from  [SpagoBI Team]
December 16th, 2013: Vendor Fix/Patch [SpagoBI Team]
January  16th, 2014: Fix/Patch Verified
March    01st, 2014: Vulnerability disclosure
 
 
11. ### Disclaimer ###
 
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of 
this information.

#  0day.today [2018-02-20]  #