###################################################
01. ### Advisory Information ###
Title: Persistent Cross-Site Scripting (XSS) in SpagoBI
Date published: 2014-03-01
Date of last update: 2014-03-01
Vendors contacted: Engineering Group
Discovered by: Christian Catalano
Severity: High
02. ### Vulnerability Information ###
CVE reference: CVE-2013-6232
CVSS v2 Base Score: 4
CVSS v2 Vector: (AV:N/AC:L/Au:S/C:N/I:P/A:N)
Component/s: SpagoBI
Class: Input Manipulation
03. ### Introduction ###
SpagoBI[1] is an Open Source Business Intelligence suite, belonging to
the free/open source SpagoWorld initiative, founded and supported by
Engineering Group[2].
It offers a large range of analytical functions, a highly functional
semantic layer often absent in other open source platforms and projects,
and a respectable set of advanced data visualization features including
geospatial analytics.
[3]SpagoBI is released under the Mozilla Public License, allowing its
commercial use.
SpagoBI is hosted on OW2 Forge[4] managed by OW2 Consortium, an
independent open-source software community.
[1] - http://www.spagobi.org
[2] - http://www.eng.it
[3] -
http://www.spagoworld.org/xwiki/bin/view/SpagoBI/PressRoom?id=SpagoBI-ForresterWave-July2012
[4] - http://forge.ow2.org/projects/spagobi
04. ### Vulnerability Description ###
SpagoBI contains a flaw that allows persistent cross-site scripting
(XSS) attacks. This flaw exists because the application does not
validate certain unspecified input before returning it to the user. This
may allow an attacker to create a specially crafted request that would
execute arbitrary script code in a user's browser within the trust
relationship between their browser and the server.
05. ### Technical Description / Proof of Concept Code ###
In execution page can be visible a toolbar with various icons useful for
the user to perform actions related to the document runs.
The user can insert a note about the executed document.
The note is associated to the document with relative parameters value
and to the user.
It can be public or private, so public notes are visible to all users
while the private notes are visible only from the user creator.
An attacker (a SpagoBI malicious user with a restricted account ) can
insert a note with jasvascript code:
<object data="javascript:alert('XSS')"></object>
and save it in public mode.
The code execution happens when the victim (an unaware user) click on
annotate document detail.
This is not the only way to add malicious code in the SpagoBI web app.
06. ### Business Impact ###
Exploitation of the vulnerability requires low privileged application
user account but low or medium user interaction.
Successful exploitation of the vulnerability results in session
hijacking, client-side phishing, client-side external redirects or
malware loads and client-side manipulation of the vulnerable module context.
07. ### Systems Affected ###
This vulnerability was tested against: SpagoBI 4.0
Older versions are probably affected too, but they were not checked.
08. ### Vendor Information, Solutions and Workarounds ###
This issue is fixed in SpagoBI v4.1, which can be downloaded from:
http://forge.ow2.org/project/showfiles.php?group_id=204
Fixed by vendor [verified]
09. ### Credits ###
This vulnerability has been discovered by:
Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com
10. ### Vulnerability History ###
October 08th, 2013: Vulnerability identification
October 22th, 2013: Vendor notification to [SpagoBI Team]
November 05th, 2013: Vendor Response/Feedback from [SpagoBI Team]
December 16th, 2013: Vendor Fix/Patch [SpagoBI Team]
January 16th, 2014: Fix/Patch Verified
March 01st, 2014: Vulnerability disclosure
11. ### Disclaimer ###
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of
this information.
###################################################
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
01. ### Advisory Information ###
Title: Persistent Cross-Site Scripting (XSS) in SpagoBI
Date published: 2014-03-01
Date of last update: 2014-03-01
Vendors contacted: Engineering Group
Discovered by: Christian Catalano
Severity: High
02. ### Vulnerability Information ###
CVE reference: CVE-2013-6232
CVSS v2 Base Score: 4
CVSS v2 Vector: (AV:N/AC:L/Au:S/C:N/I:P/A:N)
Component/s: SpagoBI
Class: Input Manipulation
03. ### Introduction ###
SpagoBI[1] is an Open Source Business Intelligence suite, belonging to
the free/open source SpagoWorld initiative, founded and supported by
Engineering Group[2].
It offers a large range of analytical functions, a highly functional
semantic layer often absent in other open source platforms and projects,
and a respectable set of advanced data visualization features including
geospatial analytics.
[3]SpagoBI is released under the Mozilla Public License, allowing its
commercial use.
SpagoBI is hosted on OW2 Forge[4] managed by OW2 Consortium, an
independent open-source software community.
[1] - http://www.spagobi.org
[2] - http://www.eng.it
[3] -
http://www.spagoworld.org/xwiki/bin/view/SpagoBI/PressRoom?id=SpagoBI-ForresterWave-July2012
[4] - http://forge.ow2.org/projects/spagobi
04. ### Vulnerability Description ###
SpagoBI contains a flaw that allows persistent cross-site scripting
(XSS) attacks. This flaw exists because the application does not
validate certain unspecified input before returning it to the user. This
may allow an attacker to create a specially crafted request that would
execute arbitrary script code in a user's browser within the trust
relationship between their browser and the server.
05. ### Technical Description / Proof of Concept Code ###
In execution page can be visible a toolbar with various icons useful for
the user to perform actions related to the document runs.
The user can insert a note about the executed document.
The note is associated to the document with relative parameters value
and to the user.
It can be public or private, so public notes are visible to all users
while the private notes are visible only from the user creator.
An attacker (a SpagoBI malicious user with a restricted account ) can
insert a note with jasvascript code:
<object data="javascript:alert('XSS')"></object>
and save it in public mode.
The code execution happens when the victim (an unaware user) click on
annotate document detail.
This is not the only way to add malicious code in the SpagoBI web app.
06. ### Business Impact ###
Exploitation of the vulnerability requires low privileged application
user account but low or medium user interaction.
Successful exploitation of the vulnerability results in session
hijacking, client-side phishing, client-side external redirects or
malware loads and client-side manipulation of the vulnerable module context.
07. ### Systems Affected ###
This vulnerability was tested against: SpagoBI 4.0
Older versions are probably affected too, but they were not checked.
08. ### Vendor Information, Solutions and Workarounds ###
This issue is fixed in SpagoBI v4.1, which can be downloaded from:
http://forge.ow2.org/project/showfiles.php?group_id=204
Fixed by vendor [verified]
09. ### Credits ###
This vulnerability has been discovered by:
Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com
10. ### Vulnerability History ###
October 08th, 2013: Vulnerability identification
October 22th, 2013: Vendor notification to [SpagoBI Team]
November 05th, 2013: Vendor Response/Feedback from [SpagoBI Team]
December 16th, 2013: Vendor Fix/Patch [SpagoBI Team]
January 16th, 2014: Fix/Patch Verified
March 01st, 2014: Vulnerability disclosure
11. ### Disclaimer ###
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of
this information.
###################################################
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/