exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SpagoBI 4.0 Privilege Escalation

SpagoBI 4.0 Privilege Escalation
Posted Feb 28, 2014
Authored by Christian Catalano

SpagoBI version 4.0 suffers from an administrative privilege escalation vulnerability.

tags | exploit
advisories | CVE-2013-6231
SHA-256 | 08879394f05ec3888c94bd4b06561081d45aa1549a6e63d70b7be33bbcfe4f7f

SpagoBI 4.0 Privilege Escalation

Change Mirror Download
###################################################
01. ### Advisory Information ###

Title: Remote Privilege Escalation in SpagoBI
Date published: 2013-02-28
Date of last update: 2013-02-28
Vendors contacted: Engineering Group
Discovered by: Christian Catalano
Severity: High


02. ### Vulnerability Information ###

CVE reference: CVE-2013-6231
CVSS v2 Base Score: 9
CVSS v2 Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Component/s: SpagoBI
Class: Input Manipulation


03. ### Introduction ###

SpagoBI[1] is an Open Source Business Intelligence suite, belonging to
the free/open source SpagoWorld initiative, founded and supported by
Engineering Group[2].
It offers a large range of analytical functions, a highly functional
semantic layer often absent in other open source platforms and projects,
and a respectable set of advanced data visualization features including
geospatial analytics.[3]
SpagoBI is released under the Mozilla Public License, allowing its
commercial use.
SpagoBI is hosted on OW2 Forge[4] managed by OW2 Consortium, an
independent open-source software community.

[1] - https://www.spagobi.org
[2] - https://www.eng.it
[3] -
https://www.spagoworld.org/xwiki/bin/view/SpagoBI/PressRoom?id=SpagoBI-ForresterWave-July2012
[4] - https://forge.ow2.org/projects/spagobi


04. ### Vulnerability Description ###

SpagoBI contains a flaw that leads to unauthorized privileges being
gained. The issue is triggered when the servlet (action):
AdapterHTTP?ACTION_NAME=MANAGE_USER_ACTION is executed with specifically
crafted input, and may allow a remote attacker to gain Administrator
role privileges.


05. ### Technical Description / Proof of Concept Code ###

An attacker (a SpagoBI malicious Business User with RSM role ) can
invoke via URL the servlet (action):

AdapterHTTP?ACTION_NAME=MANAGE_USER_ACTION

to gain SpagoBI Administrator privilege.
To reproduce the vulnerability follow the provided information and
steps below:

- Using a browser log on to SpagoBI with restricted account (e.g.
Business User Account)

- Execute:
https://localhost/SpagoBI/servlet/AdapterHTTP?ACTION_NAME=MANAGE_USER_ACTION

- Select your account from Users List

- Select Administrator Role from Roles tab and save it

Remote Privilege Escalation Attack has been successfully completed!


06. ### Business Impact ###

Successful exploitation of the vulnerability may allow a remote,
authenticated attacker to elevate privileges and obtain full access to
the affected system.
The attacker could exploit the vulnerability to become administrator
and retrieve or publish any kind of data.


07. ### Systems Affected ###

This vulnerability was tested against: SpagoBI 4.0
Older versions are probably affected too, but they were not checked.


08. ### Vendor Information, Solutions and Workarounds ###

This issue is fixed in SpagoBI v4.1, which can be downloaded from:
https://forge.ow2.org/project/showfiles.php?group_id=204

Fixed by vendor [verified]


09. ### Credits ###

This vulnerability has been discovered by:
Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com


10. ### Vulnerability History ###

October 08th, 2013: Vulnerability identification
October 22th, 2013: Vendor notification to [SpagoBI Team]
November 05th, 2013: Vendor Response/Feedback from [SpagoBI Team]
December 16th, 2013: Vendor Fix/Patch [SpagoBI Team]
January 16th, 2014: Fix/Patch Verified
February 28th, 2014: Vulnerability disclosure


11. ### Disclaimer ###

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of
this information.

###################################################
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close