MicroStrategy Intelligence Server And Web 10.4 XSS / Disclosure / SSRF / Code Execution

2020.04.04
Credit: redtimmysec
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79

# Exploit Title: MicroStrategy Intelligence Server and Web 10.4 - multiple vulnerabilities # Exploit Author: RedTimmy Security # Authors blog: https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case/ # Vendor Homepage: https://www.microstrategy.com/ # Version(s): 10.4 and possibly above # CVE: CVE-2020-11450, CVE-2020-11451, CVE-2020-11452, CVE-2020-11453, CVE-2020-11454 Early last autumn we have conducted an assessment on MicroStrategy Intellitence Server & Web 10.4, that brought to the discovery of six different vulnerabilities and recently to the registration of a total of five CVE(s). CVE-2020-11450 - Information Disclosure in Axis2 Happiness Page Microstrategy Web 10.4 and possibly above exposes JVM configuration, CPU architecture, installation folder and other info through the URL “/MicroStrategyWS/happyaxis.jsp”. An attacker could use this vulnerability to learn more about the environment the application is running in. CVE-2020-11453 - Server-Side Request Forgery in Test Web Service Microstrategy Web 10.4 and possibly above is vulnerable to Server-Side Request Forgery in the “Test Web Service” functionality exposed through the path “/MicroStrategyWS/”. The functionality requires no authentication and, while it is not possible to pass arbitrary schemes and parameters in the SSRF request, it is still possible to exploit it to conduct port scanning. An attacker could exploit this vulnerability to enumerate the resources allocated in the network (IP addresses and services exposed). CVE-2020-11452- Server Side Request Forgery in adding external data Microstrategy Web 10.4 and possibly above includes a functionality to allow users to import files or data from external resources such as URLs or databases in order to parse contents for dashboard creation. By providing an external URL under attacker control it’s possible to send requests to external resources or leak files from the local system using the “file://” stream wrapper. CVE-2020-11451 - Remote Code Execution in Upload Visualization Plugin The “Upload Visualization” plugin in the Microstrategy admin panel (version 10.4 and above) allows an administrator to upload a zip archive containing files with arbitrary extensions and data. Access to admin panel could be reached through SSRF (for example via CVE-2020-11452). CVE-2020-11454 - Stored Cross-Site Scripting in the Dashboard Microstrategy Web 10.4 and possibly above is vulnerable to Stored Cross-Site Scripting in the “HTML Container” and “Insert Text” functionalities in the window allowing for the creation of a new dashboard. In order to exploit this vulnerability an user need to have access to a shared dashboard or the ability to create a dashboard on the application. More details and full story here: https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top