################################################### 01. ### Advisory Information ### Title: XSS File Upload Date published: 2014-03-01 Date of last update: 2014-03-01 Vendors contacted: Engineering Group Discovered by: Christian Catalano Severity: Medium 02. ### Vulnerability Information ### CVE reference: CVE-2013-6234 CVSS v2 Base Score: 4 CVSS v2 Vector: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Component/s: SpagoBI Class: Input Manipulation 03. ### Introduction ### SpagoBI[1] is an Open Source Business Intelligence suite, belonging to the free/open source SpagoWorld initiative, founded and supported by Engineering Group[2]. It offers a large range of analytical functions, a highly functional semantic layer often absent in other open source platforms and projects, and a respectable set of advanced data visualization features including geospatial analytics. [3]SpagoBI is released under the Mozilla Public License, allowing its commercial use. SpagoBI is hosted on OW2 Forge[4] managed by OW2 Consortium, an independent open-source software community. [1] - http://www.spagobi.org [2] - http://www.eng.it [3] - http://www.spagoworld.org/xwiki/bin/view/SpagoBI/PressRoom?id=SpagoBI-ForresterWave-July2012 [4] - http://forge.ow2.org/projects/spagobi 04. ### Vulnerability Description ### SpagoBI contains a flaw that may allow a remote attacker to execute arbitrary code. This flaw exists because the application does not restrict uploading for specific file types from Worksheet designer function. This may allow a remote attacker to upload arbitrary files (e.g. .html for XSS) that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server or more easily conduct more serious attacks. 05. ### Technical Description / Proof of Concept Code ### An attacker (a SpagoBI malicious user with a restricted account) can upload a file from Worksheet designer function. To reproduce the vulnerability follow the provided information and steps below: - Using a browser log on to SpagoBI with restricted account (e.g. Business User Account) - Go on: Worksheet designer function - Click on: Image and Choose image - Upload malicious file and save it XSS Malicious File Upload Attack has been successfully completed! More details about SpagoBI Worksheet Engine and Worksheet designer http://wiki.spagobi.org/xwiki/bin/view/spagobi_server/Worksheet#HWorksheetoverview (e.g. Malicious File: xss.html) 06. ### Business Impact ### Exploitation of the vulnerability requires low privileged application user account but low or medium user interaction. Successful exploitation of the vulnerability results in session hijacking, client-side phishing, client-side external redirects or malware loads and client-side manipulation of the vulnerable module context. 07. ### Systems Affected ### This vulnerability was tested against: SpagoBI 4.0 Older versions are probably affected too, but they were not checked. 08. ### Vendor Information, Solutions and Workarounds ### This issue is fixed in SpagoBI v4.1, which can be downloaded from: http://forge.ow2.org/project/showfiles.php?group_id=204 Fixed by vendor [verified] 09. ### Credits ### This vulnerability has been discovered by: Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com 10. ### Vulnerability History ### October 09th, 2013: Vulnerability identification October 22th, 2013: Vendor notification to [SpagoBI Team] November 05th, 2013: Vendor Response/Feedback from [SpagoBI Team] December 16th, 2013: Vendor Fix/Patch [SpagoBI Team] January 16th, 2014: Fix/Patch Verified March 01st, 2014: Vulnerability disclosure 11. ### Disclaimer ### The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. ###################################################