扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 |
################################################### 01. ###Advisory Information ### Title: Remote Privilege Escalation in SpagoBI Date published: 2013-02-28 Date of last update: 2013-02-28 Vendors contacted: Engineering Group Discovered by: Christian Catalano Severity: High 02. ###Vulnerability Information ### CVE reference: CVE-2013-6231 CVSS v2 Base Score: 9 CVSS v2 Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C) Component/s: SpagoBI Class: Input Manipulation 03. ### Introduction ### SpagoBI[1] is an Open Source Business Intelligence suite, belonging to the free/open source SpagoWorld initiative, founded and supported by Engineering Group[2]. It offers a large range of analytical functions, a highly functional semantic layer often absent in other open source platforms and projects, and a respectable set of advanced data visualization features including geospatial analytics.[3] SpagoBI is released under the Mozilla Public License, allowing its commercial use. SpagoBI is hosted on OW2 Forge[4] managed by OW2 Consortium, an independent open-source software community. [1] - http://www.spagobi.org [2] - http://www.eng.it [3] - http://www.spagoworld.org/xwiki/bin/view/SpagoBI/PressRoom?id=SpagoBI-ForresterWave-July2012 [4] - http://forge.ow2.org/projects/spagobi 04. ### Vulnerability Description ### SpagoBI contains a flaw that leads to unauthorized privileges being gained. The issue is triggered whenthe servlet (action): AdapterHTTP?ACTION_NAME=MANAGE_USER_ACTION is executed with specifically crafted input, and may allow a remote attacker to gain Administrator role privileges. 05. ### Technical Description / Proof of Concept Code ### An attacker(a SpagoBI malicious Business User with RSM role ) can invoke via URL the servlet (action): AdapterHTTP?ACTION_NAME=MANAGE_USER_ACTION to gain SpagoBI Administrator privilege. Toreproduce the vulnerability follow the provided information and steps below: - Using a browser log on to SpagoBI with restricted account (e.g. Business User Account) - Execute: https://localhost/SpagoBI/servlet/AdapterHTTP?ACTION_NAME=MANAGE_USER_ACTION - Select your account from Users List - Select Administrator Role from Roles tab and save it Remote Privilege Escalation Attackhas been successfully completed! 06. ### Business Impact ### Successful exploitation of the vulnerability may allow a remote, authenticated attacker to elevate privileges and obtain full access to the affected system. Theattacker could exploit the vulnerability tobecome administrator and retrieve or publish any kind of data. 07. ### Systems Affected ### This vulnerability was tested against: SpagoBI 4.0 Older versions are probably affected too, but they were not checked. 08. ### Vendor Information, Solutions and Workarounds ### This issue is fixed in SpagoBI v4.1, which can be downloaded from: http://forge.ow2.org/project/showfiles.php?group_id=204 Fixed by vendor [verified] 09. ### Credits ### This vulnerability has been discovered by: Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com 10.### Vulnerability History ### October08th, 2013: Vulnerability identification October22th, 2013: Vendor notification to[SpagoBI Team] November 05th, 2013: Vendor Response/Feedbackfrom[SpagoBI Team] December 16th, 2013: Vendor Fix/Patch [SpagoBI Team] January16th, 2014: Fix/Patch Verified February 28th, 2014: Vulnerability disclosure 11. ### Disclaimer ### The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. ################################################### |
体验盒子
